remount Tor Browser folder in /home with exec (disable noexec if enab…

…led) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
Kicksecure · Dec 17, 2019 · 2e0c1c4 · 2e0c1c4
1 parent 9fd05e8
commit 2e0c1c4
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 0 deletions.
diff --git a/etc/sudoers.d/tb-starter b/etc/sudoers.d/tb-starter
@@ -0,0 +1,6 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+Defaults:ALL env_keep += "tb_home_folder"
+Defaults:ALL env_keep += "tb_user_home"
+user ALL=NOPASSWD: /usr/lib/tb-starter/remount-exec
diff --git a/usr/bin/torbrowser b/usr/bin/torbrowser
@@ -232,6 +232,19 @@ More info: <a href=https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Runnin
    exit 1
 }
 
+remount_exec() {
+   if [ "$qubes_vm_persistence" = "none" ]; then
+      true "$FUNCNAME: Not remounting exec in DispVM."
+      return 0
+   fi
+
+   sudo \
+      --non-interactive \
+      tb_home_folder="$tb_home_folder" \
+      tb_user_home="$tb_user_home" \
+      /usr/lib/tb-starter/remount-exec
+}
+
 check_noexec() {
    local tb_home_folder_mount
    ## example tb_home_folder:
@@ -722,6 +735,7 @@ main_function() {
    check_tb_updater_first_boot_done "$@"
    tb_copy_from_root_to_user_maybe "$@"
    maybe_install_tor_browser "$@"
+   remount_exec "$@"
    check_noexec "$@"
    tb_folder_change_directory "$@"
    tb_clearnet "$@"

diff --git a/usr/lib/tb-starter/remount-exec b/usr/lib/tb-starter/remount-exec
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## test:
+## sudo tb_user_home=/home/user tb_home_folder=/home/user/.tb bash -x /usr/lib/tb-starter/remount-exec
+
+#set -x
+set -e
+
+if [ "$(id -u)" != "0" ]; then
+   echo "ERROR: Must run as root." >&2
+   exit 112
+fi
+
+## example tb_user_home:
+## /home/user
+
+if [ "$tb_user_home" = "" ]; then
+   echo "$0: ERROR tb_user_home is empty" >&2
+   exit 1
+fi
+
+## example tb_home_folder:
+## /home/user/.tb
+
+if [ "$tb_home_folder" = "" ]; then
+   echo "$0: ERROR tb_home_folder is empty" >&2
+   exit 1
+fi
+
+## Check if already correct mount options.
+if mount | grep "$tb_home_folder" | grep -q noexec ; then
+   ## noexec mount option found. Therefore remount.
+   mount --bind -o nosuid,nodev "$tb_home_folder" "$tb_home_folder"
+fi
+
+## results in:
+# mount | grep /home/user/.tb
+# /dev/xvdb on /home/user/.tb type ext4 (rw,nosuid,nodev,relatime,discard)
+# /dev/xvdb on /rw/home/user/.tb type ext4 (rw,nosuid,nodev,relatime,discard)