disable remount-secure dracut modules

pending new systemd based implementation https://github.com/Kicksecure/security-misc/pull/152
2025-05-02 08:36:03 -04:00 · 2023-11-05 15:27:09 -05:00 · 2023-11-05 15:27:09 -05:00 · d4494fd3c3
commit d4494fd3c3
parent 949c163370
2 changed files with 0 additions and 0 deletions
--- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh
+++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh
@ -0,0 +1,44 @@
+#!/bin/bash
+
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+# called by dracut
+check() {
+    ## For debugging only.
+    ## Saving space in initial ramdisk.
+    #require_binaries id || return 1
+    #require_binaries env || return 1
+
+    require_binaries findmnt || return 1
+    require_binaries touch || return 1
+    require_binaries grep || return 1
+    require_binaries mount || return 1
+    require_binaries remount-secure || return 1
+    return 0
+}
+
+# called by dracut
+depends() {
+    return 0
+}
+
+# called by dracut
+install() {
+    ## For debugging only.
+    ## Saving space in initial ramdisk.
+    #inst_multiple id
+    #inst_multiple env
+
+    inst_multiple findmnt
+    inst_multiple touch
+    inst_multiple grep
+    inst_multiple mount
+    inst_multiple remount-secure
+    inst_hook cleanup 90 "$moddir/remount-secure.sh"
+}
+
+# called by dracut
+installkernel() {
+    return 0
+}
--- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh
+++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh
@ -0,0 +1,23 @@
+#!/bin/sh
+
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This script is intended to remount specified mount points with more secure
+## options based on kernel command line parameters.
+
+remount_hook() {
+   local remountsecure_action
+   ## getarg returns the last parameter only.
+   ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins.
+   remountsecure_action=$(getarg remountsecure)
+
+   if ! remount-secure $remountsecure_action; then
+      warn "$0: ERROR: 'remount-secure $remountsecure_action' failed."
+      return 1
+   fi
+   info "$0: INFO: 'remount-secure $remountsecure_action' success."
+   return 0
+}
+
+remount_hook