improve remount-secure

This commit is contained in:
Patrick Schleizer 2023-10-22 16:08:21 -04:00
parent 555d83792d
commit 5182d7502b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 75 additions and 37 deletions

View File

@ -21,11 +21,12 @@ init() {
output_command=echo output_command=echo
fi fi
$output_command "$0: INFO: START"
if [ "$(id -u)" != "0" ]; then if [ "$(id -u)" != "0" ]; then
$output_command "ERROR: must be run as root! sudo $0" $output_command "ERROR: must be run as root! sudo $0"
exit 1 exit 1
fi fi
$output_command "$0: INFO: START"
mkdir --parents "/run/remount-secure" mkdir --parents "/run/remount-secure"
exit_code=0 exit_code=0
@ -33,16 +34,11 @@ init() {
## dracut sets NEWROOT=/sysroot ## dracut sets NEWROOT=/sysroot
[[ -v NEWROOT ]] || NEWROOT="" [[ -v NEWROOT ]] || NEWROOT=""
if [ "$NEWROOT" = "" ]; then if [ "$NEWROOT" = "" ]; then
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" $output_command "INFO: dracut detected: no"
else else
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'"
fi fi
## Debugging.
$output_command "INFO: 'findmnt --list' output at the START."
$output_command "$(findmnt --list)"
$output_command ""
## Debugging. ## Debugging.
#echo "ls -la /root/" #echo "ls -la /root/"
#ls -la / || true #ls -la / || true
@ -59,9 +55,30 @@ parse_options() {
while : while :
do do
case ${1:-} in case ${1:-} in
--remountnoexec) 0)
$output_command "INFO: --remountnoexec" $output_command "WARNING: Not using remount-secure."
noexec_maybe=",noexec" exit 0
shift
;;
1)
$output_command "INFO: level 1/3 (low)"
most_noexec_maybe=""
home_noexec_maybe=""
parsed=true
shift
;;
2)
$output_command "INFO: level 2/3 (medium)"
most_noexec_maybe=",noexec"
home_noexec_maybe=""
parsed=true
shift
;;
3)
$output_command "INFO: level 3/3 (high)"
most_noexec_maybe=",noexec"
home_noexec_maybe=",noexec"
parsed=true
shift shift
;; ;;
--force) --force)
@ -74,7 +91,7 @@ parse_options() {
break break
;; ;;
-*) -*)
echo "unknown option: $1" >&2 echo "ERROR: unknown option: $1" >&2
exit 1 exit 1
;; ;;
*) *)
@ -83,8 +100,38 @@ parse_options() {
esac esac
done done
[[ -v noexec_maybe ]] || noexec_maybe=""
[[ -v option_force ]] || option_force="" [[ -v option_force ]] || option_force=""
[[ -v parsed ]] || parsed=false
[[ -v home_noexec_maybe ]] || home_noexec_maybe=""
[[ -v most_noexec_maybe ]] || most_noexec_maybe=""
$output_command "INFO: using nosuid,nodev: yes"
if [ "$home_noexec_maybe" = "" ]; then
$output_command "INFO: using noexec for all: no"
else
$output_command "INFO: using noexec for all: yes"
return 0
fi
if [ "$most_noexec_maybe" = "" ]; then
$output_command "INFO: using noexec for most: no"
else
$output_command "INFO: using noexec for most (not all): yes"
return 0
fi
if [ "$parsed" = "true" ]; then
return 0
fi
$output_command "ERROR: syntax error. use either:
$0 0
$0 1
$0 2
$0 3"
exit 1
} }
remount_secure() { remount_secure() {
@ -153,7 +200,7 @@ _boot() {
_run() { _run() {
mount_folder="/run" mount_folder="/run"
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
intended_mount_options="nosuid,nodev${noexec_maybe}" intended_mount_options="nosuid,nodev${most_noexec_maybe}"
remount_secure remount_secure
} }
@ -167,13 +214,13 @@ _dev() {
_dev_shm() { _dev_shm() {
mount_folder="/dev/shm" mount_folder="/dev/shm"
intended_mount_options="nosuid,nodev${noexec_maybe}" intended_mount_options="nosuid,nodev${most_noexec_maybe}"
remount_secure remount_secure
} }
_tmp() { _tmp() {
mount_folder="$NEWROOT/tmp" mount_folder="$NEWROOT/tmp"
intended_mount_options="nosuid,nodev${noexec_maybe}" intended_mount_options="nosuid,nodev${most_noexec_maybe}"
remount_secure remount_secure
} }
@ -187,7 +234,7 @@ _var() {
_var_tmp() { _var_tmp() {
mount_folder="/var/tmp" mount_folder="/var/tmp"
intended_mount_options="nosuid,nodev${noexec_maybe}" intended_mount_options="nosuid,nodev${most_noexec_maybe}"
remount_secure remount_secure
} }
@ -207,7 +254,7 @@ _lib() {
_home() { _home() {
mount_folder="$NEWROOT/home" mount_folder="$NEWROOT/home"
intended_mount_options="nosuid,nodev${noexec_maybe}" intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure remount_secure
} }
@ -224,6 +271,11 @@ main() {
init init
parse_options "$@" parse_options "$@"
## Debugging.
$output_command "INFO: 'findmnt --list' output at the START."
$output_command "$(findmnt --list)"
$output_command ""
_boot _boot
_run _run
_dev _dev

View File

@ -9,29 +9,15 @@
remount_hook() { remount_hook() {
local remountsecure_action local remountsecure_action
## getarg returns the last parameter only. ## getarg returns the last parameter only.
## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins.
remountsecure_action=$(getarg remountsecure) remountsecure_action=$(getarg remountsecure)
if [ "$remountsecure_action" = "1" ]; then if ! remount-secure $remountsecure_action; then
if ! remount-secure; then warn "$0: ERROR: 'remount-secure $remountsecure_action' failed."
warn "$0: ERROR: 'remount-secure' failed."
return 1 return 1
fi fi
info "$0: INFO: 'remount-secure' success." info "$0: INFO: 'remount-secure $remountsecure_action' success."
return 0 return 0
fi
if [ "$remountsecure_action" = "noexec" ]; then
if ! remount-secure --remountnoexec; then
warn "$0: ERROR: 'remount-secure --remountnoexec' failed."
return 1
fi
info "$0: INFO: 'remount-secure --remountnoexec' success."
return 0
fi
warn "$0: WARNING: Not using remount-secure."
return 1
} }
remount_hook remount_hook