From 95d1cfb4a03afc987cf89bb0f4cd6d2f1ad431b1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 20:49:36 -0500 Subject: [PATCH] Revert "remove no longer required remount-service systemd unit" This reverts commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073. https://github.com/Kicksecure/security-misc/pull/152 --- .../system-preset/50-security-misc.preset | 3 +++ lib/systemd/system/remount-secure.service | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 lib/systemd/system/remount-secure.service diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index aee8b99..be35459 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -7,5 +7,8 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. disable permission-hardening.service +## Disable for now until development finished / tested. +disable remount-secure.service + ## Disable due to pkexec issues. disable proc-hidepid.service diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service new file mode 100644 index 0000000..ba6e017 --- /dev/null +++ b/lib/systemd/system/remount-secure.service @@ -0,0 +1,21 @@ +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Documentation=https://github.com/Kicksecure/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +After=qubes-sysinit.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/remount-secure + +[Install] +WantedBy=sysinit.target