From 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:08:21 -0400 Subject: [PATCH] improve remount-secure --- usr/bin/remount-secure | 86 +++++++++++++++---- .../20remount-secure/remount-secure.sh | 26 ++---- 2 files changed, 75 insertions(+), 37 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 1c1d5b1..412cebe 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -21,11 +21,12 @@ init() { output_command=echo fi + $output_command "$0: INFO: START" + if [ "$(id -u)" != "0" ]; then $output_command "ERROR: must be run as root! sudo $0" exit 1 fi - $output_command "$0: INFO: START" mkdir --parents "/run/remount-secure" exit_code=0 @@ -33,16 +34,11 @@ init() { ## dracut sets NEWROOT=/sysroot [[ -v NEWROOT ]] || NEWROOT="" if [ "$NEWROOT" = "" ]; then - $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + $output_command "INFO: dracut detected: no" else $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" fi - ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" - ## Debugging. #echo "ls -la /root/" #ls -la / || true @@ -59,9 +55,30 @@ parse_options() { while : do case ${1:-} in - --remountnoexec) - $output_command "INFO: --remountnoexec" - noexec_maybe=",noexec" + 0) + $output_command "WARNING: Not using remount-secure." + exit 0 + shift + ;; + 1) + $output_command "INFO: level 1/3 (low)" + most_noexec_maybe="" + home_noexec_maybe="" + parsed=true + shift + ;; + 2) + $output_command "INFO: level 2/3 (medium)" + most_noexec_maybe=",noexec" + home_noexec_maybe="" + parsed=true + shift + ;; + 3) + $output_command "INFO: level 3/3 (high)" + most_noexec_maybe=",noexec" + home_noexec_maybe=",noexec" + parsed=true shift ;; --force) @@ -74,7 +91,7 @@ parse_options() { break ;; -*) - echo "unknown option: $1" >&2 + echo "ERROR: unknown option: $1" >&2 exit 1 ;; *) @@ -83,8 +100,38 @@ parse_options() { esac done - [[ -v noexec_maybe ]] || noexec_maybe="" [[ -v option_force ]] || option_force="" + [[ -v parsed ]] || parsed=false + [[ -v home_noexec_maybe ]] || home_noexec_maybe="" + [[ -v most_noexec_maybe ]] || most_noexec_maybe="" + + $output_command "INFO: using nosuid,nodev: yes" + + if [ "$home_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for all: no" + else + $output_command "INFO: using noexec for all: yes" + return 0 + fi + + if [ "$most_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for most: no" + else + $output_command "INFO: using noexec for most (not all): yes" + return 0 + fi + + if [ "$parsed" = "true" ]; then + return 0 + fi + + $output_command "ERROR: syntax error. use either: +$0 0 +$0 1 +$0 2 +$0 3" + + exit 1 } remount_secure() { @@ -153,7 +200,7 @@ _boot() { _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -167,13 +214,13 @@ _dev() { _dev_shm() { mount_folder="/dev/shm" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _tmp() { mount_folder="$NEWROOT/tmp" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -187,7 +234,7 @@ _var() { _var_tmp() { mount_folder="/var/tmp" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -207,7 +254,7 @@ _lib() { _home() { mount_folder="$NEWROOT/home" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" remount_secure } @@ -224,6 +271,11 @@ main() { init parse_options "$@" + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" + $output_command "" + _boot _run _dev diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 1a5ae15..b742dda 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -9,29 +9,15 @@ remount_hook() { local remountsecure_action ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. + ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. remountsecure_action=$(getarg remountsecure) - if [ "$remountsecure_action" = "1" ]; then - if ! remount-secure; then - warn "$0: ERROR: 'remount-secure' failed." - return 1 - fi - info "$0: INFO: 'remount-secure' success." - return 0 + if ! remount-secure $remountsecure_action; then + warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." + return 1 fi - - if [ "$remountsecure_action" = "noexec" ]; then - if ! remount-secure --remountnoexec; then - warn "$0: ERROR: 'remount-secure --remountnoexec' failed." - return 1 - fi - info "$0: INFO: 'remount-secure --remountnoexec' success." - return 0 - fi - - warn "$0: WARNING: Not using remount-secure." - return 1 + info "$0: INFO: 'remount-secure $remountsecure_action' success." + return 0 } remount_hook