From f68efd53cf000b92818e6c97b4c590a2c4b73a5b Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 16 Dec 2019 03:52:09 -0500
Subject: [PATCH] remount /sys/kernel/security with nodev,nosuid[,noexec]

as suggested by @madaidan

http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
---
 usr/lib/security-misc/remount-secure | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure
index b90ef80..d293efc 100755
--- a/usr/lib/security-misc/remount-secure
+++ b/usr/lib/security-misc/remount-secure
@@ -68,6 +68,14 @@ tmp() {
    touch "/var/run/remount-secure/${FUNCNAME}"
 }
 
+securityfs() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   mount -o nosuid,nodev${noexec_maybe} --bind /tmp /tmp || exit_code=5
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
 end() {
    exit $exit_code
 }
@@ -77,6 +85,7 @@ main() {
    run "$@"
    shm "$@"
    tmp "$@"
+   securityfs "$@"
    end "$@"
 }