Protect /bin/mount from 'chmod -x'.

/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist

Remove SUID from 'mount' but keep executable.

/bin/mount 745 root root
/usr/bin/mount 745 root root

https://forums.whonix.org/t/disable-suid-binaries/7706/61

etc/permission-hardening.d/30_default.conf

@@ -41,6 +41,12 @@
 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
 /usr/lib/chromium/chrome-sandbox exactwhitelist
 
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+## Protect from 'chmod -x' (and SUID removal).
+## SUID will be removed below in separate step.
+/bin/mount exactwhitelist
+/usr/bin/mount exactwhitelist
+
 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
@@ -92,6 +98,11 @@ dbus-daemon-launch-helper matchwhitelist
 # Permission Hardening
 ######################################################################
 
+## Remove SUID from 'mount' but keep executable.
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+/bin/mount 745 root root
+/usr/bin/mount 745 root root
+
 /home/ 0755 root root
 /home/user/ 0700 user user
 /root/ 0700 root root