remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noex…

…ec (opt-in) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
Kicksecure · Dec 6, 2019 · 470cad6 · 470cad6
1 parent 8cf5ed9
commit 470cad6
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 0 deletions.
diff --git a/debian/control b/debian/control
@@ -135,6 +135,12 @@ Description: enhances misc security settings
   * p8022 - IEEE 802.2
  .
  user restrictions:
+ .
+  * remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and
+ noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To
+ opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest).
+ /lib/systemd/system/remount-secure.service
+ /usr/lib/security-misc/remount-secure
  .
   * A systemd service mounts /proc with hidepid=2 at boot to prevent users from
  seeing each other's processes.

diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service
@@ -0,0 +1,17 @@
+## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
+Documentation=https://github.com/Whonix/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/security-misc/remount-secure
+
+[Install]
+WantedBy=sysinit.target
diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure
@@ -0,0 +1,82 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## noexec in /tmp and/or /home can break some malware but also legitimate
+## applications.
+
+set -e
+
+if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
+   ## pre.bsh would `source` the following folders:
+   ## /etc/remount-secure_pre.d/*.conf
+   ## /usr/local/etc/remount-secure_pre.d/*.conf
+   source /usr/lib/helper-scripts/pre.bsh
+fi
+
+if [ -e /etc/remount-disable ]; then
+   echo "$0: /etc/remount-disable exists. Doing nothing."
+   exit 0
+fi
+
+if [ -e /etc/noexec ]; then
+   noexec=true
+   echo "$0: Will remount with noexec."
+   exit 0
+fi
+
+mkdir --parents "/var/run/remount-secure"
+
+if [ "$noexec" = "true" ]; then
+   noexec_maybe=",noexec"
+fi
+
+exit_code=0
+
+home() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   mount -o remount,nosuid,nodev$noexec_maybe /home || exit_code=2
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
+run() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
+   mount -o remount,nosuid,nodev$noexec_maybe /run || exit_code=3
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
+shm() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   mount -o remount,nosuid,nodev$noexec_maybe /dev/shm || exit_code=4
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
+tmp() {
+   if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
+      return 0
+   fi
+   mount -o nosuid,nodev$noexec_maybe --bind /tmp /tmp || exit_code=5
+   touch "/var/run/remount-secure/${FUNCNAME}"
+}
+
+end() {
+   exit $exit_code
+}
+
+main() {
+   home "$@"
+   run "$@"
+   shm "$@"
+   tmp "$@"
+   end "$@"
+}
+
+main "$@"