mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-06-04 22:28:49 -04:00
110 lines
2.9 KiB
Bash
Executable file
110 lines
2.9 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## noexec in /tmp and/or /home can break some malware but also legitimate
|
|
## applications.
|
|
|
|
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
|
|
|
|
set -e
|
|
|
|
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
|
|
## pre.bsh would `source` the following folders:
|
|
## /etc/remount-secure_pre.d/*.conf
|
|
## /usr/local/etc/remount-secure_pre.d/*.conf
|
|
source /usr/lib/helper-scripts/pre.bsh
|
|
fi
|
|
|
|
if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then
|
|
echo "$0: INFO: file /etc/remount-disable exists. Doing nothing."
|
|
exit 0
|
|
fi
|
|
|
|
if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then
|
|
noexec=true
|
|
echo "$0: INFO: Will remount with noexec because file /etc/noexec exists."
|
|
else
|
|
echo "$0: INFO: Will not remount with noexec because file /etc/noexec does not exist."
|
|
fi
|
|
|
|
mkdir --parents "/var/run/remount-secure"
|
|
|
|
if [ "$noexec" = "true" ]; then
|
|
noexec_maybe=",noexec"
|
|
fi
|
|
|
|
exit_code=0
|
|
|
|
home() {
|
|
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
|
|
return 0
|
|
fi
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
|
mount -o "remount,${new_mount_options}" /home || exit_code=2
|
|
touch "/var/run/remount-secure/${FUNCNAME}"
|
|
}
|
|
|
|
run() {
|
|
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
|
|
return 0
|
|
fi
|
|
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
|
mount -o "remount,${new_mount_options}" /run || exit_code=3
|
|
touch "/var/run/remount-secure/${FUNCNAME}"
|
|
}
|
|
|
|
shm() {
|
|
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
|
|
return 0
|
|
fi
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
|
mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4
|
|
touch "/var/run/remount-secure/${FUNCNAME}"
|
|
}
|
|
|
|
tmp() {
|
|
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
|
|
return 0
|
|
fi
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
|
mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5
|
|
touch "/var/run/remount-secure/${FUNCNAME}"
|
|
}
|
|
|
|
securityfs() {
|
|
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
|
|
return 0
|
|
fi
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
|
mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6
|
|
touch "/var/run/remount-secure/${FUNCNAME}"
|
|
}
|
|
|
|
lib() {
|
|
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
|
|
return 0
|
|
fi
|
|
## Not using noexec on /lib.
|
|
new_mount_options="nosuid,nodev"
|
|
mount -o "$new_mount_options" --bind /lib /lib || exit_code=7
|
|
touch "/var/run/remount-secure/${FUNCNAME}"
|
|
}
|
|
|
|
end() {
|
|
exit $exit_code
|
|
}
|
|
|
|
main() {
|
|
home "$@"
|
|
run "$@"
|
|
shm "$@"
|
|
tmp "$@"
|
|
securityfs "$@"
|
|
lib "$@"
|
|
end "$@"
|
|
}
|
|
|
|
main "$@"
|