remount /sys/kernel/security with nodev,nosuid[,noexec]

as suggested by @madaidan http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2024-10-01 08:25:45 -04:00 · 2019-12-16 03:52:09 -05:00 · 2019-12-16 03:52:09 -05:00 · f68efd53cf
commit f68efd53cf
parent 2c4170e6f3
1 changed files with 9 additions and 0 deletions
--- a/usr/lib/security-misc/remount-secure
+++ b/usr/lib/security-misc/remount-secure
@ -68,6 +68,14 @@ tmp() {
   touch "/var/run/remount-secure/${FUNCNAME}"
 }

+securityfs() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   mount -o nosuid,nodev${noexec_maybe} --bind /tmp /tmp || exit_code=5
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
 end() {
   exit $exit_code
 }
@ -77,6 +85,7 @@ main() {
   run "$@"
   shm "$@"
   tmp "$@"
+   securityfs "$@"
   end "$@"
 }