mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
improve remount-secure
This commit is contained in:
parent
555d83792d
commit
5182d7502b
@ -21,11 +21,12 @@ init() {
|
|||||||
output_command=echo
|
output_command=echo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
$output_command "$0: INFO: START"
|
||||||
|
|
||||||
if [ "$(id -u)" != "0" ]; then
|
if [ "$(id -u)" != "0" ]; then
|
||||||
$output_command "ERROR: must be run as root! sudo $0"
|
$output_command "ERROR: must be run as root! sudo $0"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
$output_command "$0: INFO: START"
|
|
||||||
|
|
||||||
mkdir --parents "/run/remount-secure"
|
mkdir --parents "/run/remount-secure"
|
||||||
exit_code=0
|
exit_code=0
|
||||||
@ -33,16 +34,11 @@ init() {
|
|||||||
## dracut sets NEWROOT=/sysroot
|
## dracut sets NEWROOT=/sysroot
|
||||||
[[ -v NEWROOT ]] || NEWROOT=""
|
[[ -v NEWROOT ]] || NEWROOT=""
|
||||||
if [ "$NEWROOT" = "" ]; then
|
if [ "$NEWROOT" = "" ]; then
|
||||||
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'"
|
$output_command "INFO: dracut detected: no"
|
||||||
else
|
else
|
||||||
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'"
|
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## Debugging.
|
|
||||||
$output_command "INFO: 'findmnt --list' output at the START."
|
|
||||||
$output_command "$(findmnt --list)"
|
|
||||||
$output_command ""
|
|
||||||
|
|
||||||
## Debugging.
|
## Debugging.
|
||||||
#echo "ls -la /root/"
|
#echo "ls -la /root/"
|
||||||
#ls -la / || true
|
#ls -la / || true
|
||||||
@ -59,9 +55,30 @@ parse_options() {
|
|||||||
while :
|
while :
|
||||||
do
|
do
|
||||||
case ${1:-} in
|
case ${1:-} in
|
||||||
--remountnoexec)
|
0)
|
||||||
$output_command "INFO: --remountnoexec"
|
$output_command "WARNING: Not using remount-secure."
|
||||||
noexec_maybe=",noexec"
|
exit 0
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
$output_command "INFO: level 1/3 (low)"
|
||||||
|
most_noexec_maybe=""
|
||||||
|
home_noexec_maybe=""
|
||||||
|
parsed=true
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
$output_command "INFO: level 2/3 (medium)"
|
||||||
|
most_noexec_maybe=",noexec"
|
||||||
|
home_noexec_maybe=""
|
||||||
|
parsed=true
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
$output_command "INFO: level 3/3 (high)"
|
||||||
|
most_noexec_maybe=",noexec"
|
||||||
|
home_noexec_maybe=",noexec"
|
||||||
|
parsed=true
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--force)
|
--force)
|
||||||
@ -74,7 +91,7 @@ parse_options() {
|
|||||||
break
|
break
|
||||||
;;
|
;;
|
||||||
-*)
|
-*)
|
||||||
echo "unknown option: $1" >&2
|
echo "ERROR: unknown option: $1" >&2
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -83,8 +100,38 @@ parse_options() {
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
[[ -v noexec_maybe ]] || noexec_maybe=""
|
|
||||||
[[ -v option_force ]] || option_force=""
|
[[ -v option_force ]] || option_force=""
|
||||||
|
[[ -v parsed ]] || parsed=false
|
||||||
|
[[ -v home_noexec_maybe ]] || home_noexec_maybe=""
|
||||||
|
[[ -v most_noexec_maybe ]] || most_noexec_maybe=""
|
||||||
|
|
||||||
|
$output_command "INFO: using nosuid,nodev: yes"
|
||||||
|
|
||||||
|
if [ "$home_noexec_maybe" = "" ]; then
|
||||||
|
$output_command "INFO: using noexec for all: no"
|
||||||
|
else
|
||||||
|
$output_command "INFO: using noexec for all: yes"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$most_noexec_maybe" = "" ]; then
|
||||||
|
$output_command "INFO: using noexec for most: no"
|
||||||
|
else
|
||||||
|
$output_command "INFO: using noexec for most (not all): yes"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$parsed" = "true" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
$output_command "ERROR: syntax error. use either:
|
||||||
|
$0 0
|
||||||
|
$0 1
|
||||||
|
$0 2
|
||||||
|
$0 3"
|
||||||
|
|
||||||
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
remount_secure() {
|
remount_secure() {
|
||||||
@ -153,7 +200,7 @@ _boot() {
|
|||||||
_run() {
|
_run() {
|
||||||
mount_folder="/run"
|
mount_folder="/run"
|
||||||
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
|
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
|
||||||
intended_mount_options="nosuid,nodev${noexec_maybe}"
|
intended_mount_options="nosuid,nodev${most_noexec_maybe}"
|
||||||
remount_secure
|
remount_secure
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -167,13 +214,13 @@ _dev() {
|
|||||||
|
|
||||||
_dev_shm() {
|
_dev_shm() {
|
||||||
mount_folder="/dev/shm"
|
mount_folder="/dev/shm"
|
||||||
intended_mount_options="nosuid,nodev${noexec_maybe}"
|
intended_mount_options="nosuid,nodev${most_noexec_maybe}"
|
||||||
remount_secure
|
remount_secure
|
||||||
}
|
}
|
||||||
|
|
||||||
_tmp() {
|
_tmp() {
|
||||||
mount_folder="$NEWROOT/tmp"
|
mount_folder="$NEWROOT/tmp"
|
||||||
intended_mount_options="nosuid,nodev${noexec_maybe}"
|
intended_mount_options="nosuid,nodev${most_noexec_maybe}"
|
||||||
remount_secure
|
remount_secure
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -187,7 +234,7 @@ _var() {
|
|||||||
|
|
||||||
_var_tmp() {
|
_var_tmp() {
|
||||||
mount_folder="/var/tmp"
|
mount_folder="/var/tmp"
|
||||||
intended_mount_options="nosuid,nodev${noexec_maybe}"
|
intended_mount_options="nosuid,nodev${most_noexec_maybe}"
|
||||||
remount_secure
|
remount_secure
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -207,7 +254,7 @@ _lib() {
|
|||||||
|
|
||||||
_home() {
|
_home() {
|
||||||
mount_folder="$NEWROOT/home"
|
mount_folder="$NEWROOT/home"
|
||||||
intended_mount_options="nosuid,nodev${noexec_maybe}"
|
intended_mount_options="nosuid,nodev${home_noexec_maybe}"
|
||||||
remount_secure
|
remount_secure
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -224,6 +271,11 @@ main() {
|
|||||||
init
|
init
|
||||||
parse_options "$@"
|
parse_options "$@"
|
||||||
|
|
||||||
|
## Debugging.
|
||||||
|
$output_command "INFO: 'findmnt --list' output at the START."
|
||||||
|
$output_command "$(findmnt --list)"
|
||||||
|
$output_command ""
|
||||||
|
|
||||||
_boot
|
_boot
|
||||||
_run
|
_run
|
||||||
_dev
|
_dev
|
||||||
|
@ -9,29 +9,15 @@
|
|||||||
remount_hook() {
|
remount_hook() {
|
||||||
local remountsecure_action
|
local remountsecure_action
|
||||||
## getarg returns the last parameter only.
|
## getarg returns the last parameter only.
|
||||||
## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins.
|
## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins.
|
||||||
remountsecure_action=$(getarg remountsecure)
|
remountsecure_action=$(getarg remountsecure)
|
||||||
|
|
||||||
if [ "$remountsecure_action" = "1" ]; then
|
if ! remount-secure $remountsecure_action; then
|
||||||
if ! remount-secure; then
|
warn "$0: ERROR: 'remount-secure $remountsecure_action' failed."
|
||||||
warn "$0: ERROR: 'remount-secure' failed."
|
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
info "$0: INFO: 'remount-secure' success."
|
info "$0: INFO: 'remount-secure $remountsecure_action' success."
|
||||||
return 0
|
return 0
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$remountsecure_action" = "noexec" ]; then
|
|
||||||
if ! remount-secure --remountnoexec; then
|
|
||||||
warn "$0: ERROR: 'remount-secure --remountnoexec' failed."
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
info "$0: INFO: 'remount-secure --remountnoexec' success."
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
warn "$0: WARNING: Not using remount-secure."
|
|
||||||
return 1
|
|
||||||
}
|
}
|
||||||
|
|
||||||
remount_hook
|
remount_hook
|
||||||
|
Loading…
Reference in New Issue
Block a user