Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

implement remount-secure

Browse Source
This commit is contained in:
Patrick Schleizer 2023-10-22 09:36:03 -04:00
parent f472ce690a
commit c409e3221e
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 56 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
etc/default/grub.d/40_remmount-secure.cfg Normal file
View File

@ -0,0 +1,10 @@
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
## Re-mount with nodev, nosuid.
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
## Re-mount with nodev, nosuid, noexec.
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1"

72
usr/bin/remount-secure
View File

@ -13,51 +13,52 @@ set -e
set -o pipefail
set -o nounset
## Not simple with dracut.
# if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
# ## pre.bsh would `source` the following folders:
# ## /etc/remount-secure_pre.d/*.conf
# ## /usr/local/etc/remount-secure_pre.d/*.conf
# # shellcheck disable=SC1091
# source /usr/libexec/helper-scripts/pre.bsh
# fi
if test -o xtrace ; then
output_command=true
else
output_command=echo
fi
if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then
$output_command "INFO: file /etc/remount-disable exists. Doing nothing."
exit 0
fi
if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then
noexec=false
$output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists."
else
if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then
noexec=true
$output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists."
else
$output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist."
fi
fi
mkdir --parents "/var/run/remount-secure"
[[ -v noexec ]] || noexec=""
[[ -v noexec_maybe ]] || noexec_maybe=""
if [ "$noexec" = "true" ]; then
noexec_maybe=",noexec"
fi
mkdir --parents "/run/remount-secure"
exit_code=0
mount_output="$(mount)"
parse_options() {
## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/035
while :
do
case ${1:-} in
--remountnoexec)
$output_command "INFO: --remountnoexec"
noexec_maybe=",noexec"
shift
;;
--force)
$output_command "INFO: --force"
option_force=true
shift
;;
--)
shift
break
;;
-*)
echo "unknown option: $1" >&2
exit 1
;;
*)
break
;;
esac
done
[[ -v noexec_maybe ]] || noexec_maybe=""
}
remount_secure() {
## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
## which called this function.
@ -78,7 +79,7 @@ remount_secure() {
## When this package is upgraded, the systemd unit will run again.
## If the user meanwhile manually relaxed mount options, this should not be undone.
if [ "${1:-}" == "--force" ]; then
if [ "$option_force" == "true" ]; then
if [ -e "$status_file_full_path" ]; then
$output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want."
return 0
@ -137,6 +138,7 @@ end() {
}
main() {
parse_options "$@"
_home "$@"
_run "$@"
_dev_shm "$@"

11
usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh
View File

@ -3,15 +3,22 @@
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This script is intended to remount specified mount points with more secure
## options based on kernel command line parameters.
remount_hook() {
local remount_action
remount_action=$(getarg remountsecure)
if [ ! "$remount_action" = "yes" ]; then
if getargbool 1 remountnoexec; then
remount-secure --remountnoexec
return 0
fi
remount-secure
if getargbool 1 remountsecure; then
remount-secure
return 0
fi
}
remount_hook