remount /lib with nosuid,nodev

https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22
2025-02-17 17:04:09 -05:00 · 2019-12-20 05:27:11 -05:00 · 2019-12-20 05:27:11 -05:00 · af0f074987
commit af0f074987
parent 7f20160477
1 changed files with 10 additions and 0 deletions
--- a/usr/lib/security-misc/remount-secure
+++ b/usr/lib/security-misc/remount-secure
@ -76,6 +76,15 @@ securityfs() {
   touch "/var/run/remount-secure/${FUNCNAME}"
 }

+lib() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   ## Not using noexec on /lib.
+   mount -o nosuid,nodev --bind /lib /lib || exit_code=7
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
 end() {
   exit $exit_code
 }
@ -86,6 +95,7 @@ main() {
   shm "$@"
   tmp "$@"
   securityfs "$@"
+   lib "$@"
   end "$@"
 }