Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ramlog: harden the zram mounting #6487

Merged
merged 1 commit into from Apr 17, 2024
Merged

ramlog: harden the zram mounting #6487

merged 1 commit into from Apr 17, 2024

Conversation

Smankusors
Copy link
Contributor

@Smankusors Smankusors commented Apr 9, 2024
edited

Description

this is to improve the score of /var/log for FILE-6374 in Lynis audit

before 
[+] File systems
------------------------------------
  - Mount options of /boot                                    [ HARDENED ]
  - Mount options of /dev                                     [ PARTIALLY HARDENED ]
  - Mount options of /dev/shm                                 [ PARTIALLY HARDENED ]
  - Mount options of /run                                     [ HARDENED ]
  - Mount options of /tmp                                     [ HARDENED ]
  - Mount options of /var/log                                 [ PARTIALLY HARDENED ]
after 
[+] File systems
------------------------------------
  - Mount options of /boot                                    [ HARDENED ]
  - Mount options of /dev                                     [ PARTIALLY HARDENED ]
  - Mount options of /dev/shm                                 [ PARTIALLY HARDENED ]
  - Mount options of /run                                     [ HARDENED ]
  - Mount options of /tmp                                     [ HARDENED ]
  - Mount options of /var/log                                 [ HARDENED ]

Also, I saw that when using tmpfs, the mount options are already hardened.

build/packages/bsp/common/usr/lib/armbian/armbian-ramlog

Line 133 in aee4c49

mount -t tmpfs -o nosuid,noexec,nodev,mode=0755,size=$SIZE armbian-ramlog $RAM_LOG 2>&1 | $LOG_OUTPUT

So for the consistency, why not we do the same when using zram? 馃槈

How Has This Been Tested?

Run Lynis with the parameters below

./lynis audit system --tests FILE-6374

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • My changes generate no new warnings

@Smankusors
ramlog: harden the zram mounting
4882ed2 
this is to improve the score of /var/log for FILE-6374 in Lynis audit
@Smankusors Smankusors requested a review from a team as a code owner April 9, 2024 19:39
@github-actions github-actions bot added the size/small PR with less then 50 lines label Apr 9, 2024
@ColorfulRhino
Copy link
Collaborator

ColorfulRhino commented Apr 9, 2024
edited

Looks good!
Did you consider the possibility of hardening the rest of the filesystems /dev/shm and /dev as well?

I appreciate security anaylysis and hardening 馃憤

@Smankusors
Copy link
Contributor Author

Looks good! Did you consider the possibility of hardening the rest of the filesystems /dev/shm and /dev/shm as well?

I appreciate security anaylysis and hardening 馃憤

/dev/shm and /dev/shm? do you mean /dev? 馃槄

yeah I consider that too... Both of them are missing noexec mount options

but I'm...

  1. afraid of breaking other systems and programs
  2. not sure where to set them, probably on /etc/fstab?
  3. kinda out of scope with the PR title

oh yeah, the /tmp is also previously "PARTIALLY HARDENED", because it's missing nodev and noexec. And I fixed that with editing the existing /etc/fstab entries

but for this, I'm not sure we can apply it to all users, in case there's some casual users are casually executing something from /tmp.... wdyt?

@ColorfulRhino
Copy link
Collaborator

/dev/shm and /dev/shm? do you mean /dev? 馃槄

Yes, sorry.

yeah I consider that too... Both of them are missing noexec mount options

but I'm...

1. afraid of breaking other systems and programs

2. not sure where to set them, probably on /etc/fstab?

3. kinda out of scope with the PR title

Yeah, it's out of scope with the PR title, but also kind-of related in a way to the general PR, so why not discuss about the others while we're at it :) (my opinion)

oh yeah, the /tmp is also previously "PARTIALLY HARDENED", because it's missing nodev and noexec. And I fixed that with editing the existing /etc/fstab entries

but for this, I'm not sure we can apply it to all users, in case there's some casual users are casually executing something from /tmp.... wdyt?

nodev should likely be fine. For noexec in /tmp, I'm not sure if any Armbian scripts execute anything from /tmp.
fstab would need to be adjusted somewhere here I believe:

build/lib/functions/image/partitioning.sh

Lines 248 to 319 in aee4c49

# stage: create fs, mount partitions, create fstab
rm -f $SDCARD/etc/fstab
declare root_part_uuid="uninitialized"
if [[ -n $rootpart ]]; then
local rootdevice="${LOOP}p${rootpart}"
call_extension_method "prepare_root_device" <<- 'PREPARE_ROOT_DEVICE'
*Specialized storage extensions typically transform the root device into a mapped device and should hook in here *
At this stage ${rootdevice} has been defined pointing to a loop device partition. Extensions that map the root device must update rootdevice accordingly.
PREPARE_ROOT_DEVICE
check_loop_device "$rootdevice"
display_alert "Creating rootfs" "$ROOTFS_TYPE on $rootdevice"
run_host_command_logged mkfs.${mkfs[$ROOTFS_TYPE]} ${mkopts[$ROOTFS_TYPE]} ${mkopts_label[$ROOTFS_TYPE]:+${mkopts_label[$ROOTFS_TYPE]}"$ROOT_FS_LABEL"} "${rootdevice}"
[[ $ROOTFS_TYPE == ext4 ]] && run_host_command_logged tune2fs -o journal_data_writeback "$rootdevice"
if [[ $ROOTFS_TYPE == btrfs && $BTRFS_COMPRESSION != none ]]; then
local fscreateopt="-o compress-force=${BTRFS_COMPRESSION}"
fi
wait_for_disk_sync "after mkfs" # force writes to be really flushed
# store in readonly global for usage in later hooks
root_part_uuid="$(blkid -s UUID -o value ${LOOP}p${rootpart})"
declare -g -r ROOT_PART_UUID="${root_part_uuid}"
display_alert "Mounting rootfs" "$rootdevice (UUID=${ROOT_PART_UUID})"
run_host_command_logged mount ${fscreateopt} $rootdevice $MOUNT/
# create fstab (and crypttab) entry
local rootfs
if [[ $CRYPTROOT_ENABLE == yes ]]; then
# map the LUKS container partition via its UUID to be the 'cryptroot' device
echo "$ROOT_MAPPER UUID=${root_part_uuid} none luks" >> $SDCARD/etc/crypttab
rootfs=$rootdevice # used in fstab
else
rootfs="UUID=$(blkid -s UUID -o value $rootdevice)"
fi
echo "$rootfs / ${mkfs[$ROOTFS_TYPE]} defaults,noatime${mountopts[$ROOTFS_TYPE]} 0 1" >> $SDCARD/etc/fstab
else
# update_initramfs will fail if /lib/modules/ doesn't exist
mount --bind --make-private $SDCARD $MOUNT/
echo "/dev/nfs / nfs defaults 0 0" >> $SDCARD/etc/fstab
fi
if [[ -n $bootpart ]]; then
display_alert "Creating /boot" "$bootfs on ${LOOP}p${bootpart}"
check_loop_device "${LOOP}p${bootpart}"
run_host_command_logged mkfs.${mkfs[$bootfs]} ${mkopts[$bootfs]} ${mkopts_label[$bootfs]:+${mkopts_label[$bootfs]}"$BOOT_FS_LABEL"} ${LOOP}p${bootpart}
mkdir -p $MOUNT/boot/
run_host_command_logged mount ${LOOP}p${bootpart} $MOUNT/boot/
echo "UUID=$(blkid -s UUID -o value ${LOOP}p${bootpart}) /boot ${mkfs[$bootfs]} defaults${mountopts[$bootfs]} 0 2" >> $SDCARD/etc/fstab
fi
if [[ -n $uefipart ]]; then
display_alert "Creating EFI partition" "FAT32 ${UEFI_MOUNT_POINT} on ${LOOP}p${uefipart} label ${UEFI_FS_LABEL}"
check_loop_device "${LOOP}p${uefipart}"
run_host_command_logged mkfs.fat -F32 -n "${UEFI_FS_LABEL^^}" ${LOOP}p${uefipart} 2>&1 # "^^" makes variable UPPERCASE, required for FAT32.
mkdir -p "${MOUNT}${UEFI_MOUNT_POINT}"
run_host_command_logged mount ${LOOP}p${uefipart} "${MOUNT}${UEFI_MOUNT_POINT}"
# Allow skipping the fstab entry for the EFI partition if UEFI_MOUNT_POINT_SKIP_FSTAB=yes; add comments instead if so
if [[ "${UEFI_MOUNT_POINT_SKIP_FSTAB:-"no"}" == "yes" ]]; then
display_alert "Skipping EFI partition in fstab" "UEFI_MOUNT_POINT_SKIP_FSTAB=${UEFI_MOUNT_POINT_SKIP_FSTAB}" "debug"
echo "# /boot/efi fstab commented out due to UEFI_MOUNT_POINT_SKIP_FSTAB=${UEFI_MOUNT_POINT_SKIP_FSTAB}"
echo "# UUID=$(blkid -s UUID -o value ${LOOP}p${uefipart}) ${UEFI_MOUNT_POINT} vfat defaults 0 2" >> $SDCARD/etc/fstab
else
echo "UUID=$(blkid -s UUID -o value ${LOOP}p${uefipart}) ${UEFI_MOUNT_POINT} vfat defaults 0 2" >> $SDCARD/etc/fstab
fi
fi
display_alert "Writing /tmp as tmpfs in chroot fstab" "$SDCARD/etc/fstab" "debug"
echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> $SDCARD/etc/fstab

build/packages/bsp/common/usr/sbin/armbian-install

Lines 230 to 471 in aee4c49

# creating fstab from scratch
rm -f "${TempDir}"/rootfs/etc/fstab
mkdir -p "${TempDir}"/rootfs/etc "${TempDir}"/rootfs/media/mmcboot "${TempDir}"/rootfs/media/mmcroot
# Restore TMP and swap
echo "# <file system> <mount point> <type> <options> <dump> <pass>" > "${TempDir}"/rootfs/etc/fstab
echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> "${TempDir}"/rootfs/etc/fstab
grep swap /etc/fstab >> "${TempDir}"/rootfs/etc/fstab
# creating fstab, kernel and boot script for NAND partition
#
if [[ $1 == *nand* ]]; then
echo "Finishing installation to NAND." >> $logfile
REMOVESDTXT="and remove SD to boot from NAND"
echo "$1 /boot vfat defaults 0 0" >> "${TempDir}"/rootfs/etc/fstab
echo "$2 / ext4 defaults,noatime,commit=600,errors=remount-ro 0 1" >> "${TempDir}"/rootfs/etc/fstab
dialog --title "$title" --backtitle "$backtitle" --infobox "\nConverting kernel ... few seconds." 5 60
mkimage -A arm -O linux -T kernel -C none -a "0x40008000" -e "0x40008000" -n "Linux kernel" -d \
/boot/zImage "${TempDir}"/bootfs/uImage >/dev/null 2>&1
cp /boot/script.bin "${TempDir}"/bootfs/
if [[ $DEVICE_TYPE != a13 ]]; then
# Note: Not using UUID based boot for NAND
cat <<-EOF > "${TempDir}"/bootfs/uEnv.txt
console=ttyS0,115200
root=$2 rootwait
extraargs="console=tty1 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:0 consoleblank=0 loglevel=1"
EOF
else
# Note: Not using UUID based boot for NAND
cat <<-EOF > "${TempDir}"/bootfs/uEnv.txt
console=ttyS0,115200
root=$2 rootwait
extraargs="consoleblank=0 loglevel=1"
EOF
fi
sync
[[ $DEVICE_TYPE = a20 ]] && echo "machid=10bb" >> "${TempDir}"/bootfs/uEnv.txt
# ugly hack becouse we don't have sources for A10 nand uboot
if [[ $ID == Cubieboard || $BOARD_NAME == Cubieboard || $ID == "Lime A10" || $BOARD_NAME == "Lime A10" ]]; then
cp "${TempDir}"/bootfs/uEnv.txt "${TempDir}"/rootfs/boot/uEnv.txt
cp "${TempDir}"/bootfs/script.bin "${TempDir}"/rootfs/boot/script.bin
cp "${TempDir}"/bootfs/uImage "${TempDir}"/rootfs/boot/uImage
fi
umount_device "/dev/nand"
tune2fs -o journal_data_writeback /dev/nand2 >/dev/null 2>&1
tune2fs -O ^has_journal /dev/nand2 >/dev/null 2>&1
e2fsck -f /dev/nand2 >/dev/null 2>&1
fi
# Boot from eMMC, root = eMMC or SATA / USB
#
if [[ ($2 == ${emmccheck}p* || $1 == ${emmccheck}p*) && $DEVICE_TYPE != uefi ]]; then
if [[ $2 == ${DISK_ROOT_PART} ]]; then
local targetuuid=$satauuid
local choosen_fs=$FilesystemChoosen
echo "Finalizing: boot from eMMC, rootfs on USB/SATA/NVMe." >> $logfile
if [[ $eMMCFilesystemChoosen =~ ^(btrfs|f2fs)$ ]]; then
echo "$emmcuuid /media/mmcroot $eMMCFilesystemChoosen ${mountopts[$eMMCFilesystemChoosen]}" >> "${TempDir}"/rootfs/etc/fstab
fi
else
local targetuuid=$emmcuuid
local choosen_fs=$eMMCFilesystemChoosen
echo "Finishing full install to eMMC." >> $logfile
fi
# fix that we can have one exlude file
cp -R /boot "${TempDir}"/bootfs
# old boot scripts
[[ -f "${TempDir}"/bootfs/boot/boot.cmd ]] && sed -e 's,root='"$root_uuid"',root='"$targetuuid"',g' -i "${TempDir}"/bootfs/boot/boot.cmd
# new boot scripts
if [[ -f "${TempDir}"/bootfs/boot/armbianEnv.txt ]]; then
sed -e 's,rootdev=.*,rootdev='"$targetuuid"',g' -i "${TempDir}"/bootfs/boot/armbianEnv.txt
grep -q '^rootdev' "${TempDir}"/bootfs/boot/armbianEnv.txt || echo "rootdev=$targetuuid" >> "${TempDir}"/bootfs/boot/armbianEnv.txt
else
[[ -f "${TempDir}"/bootfs/boot/boot.cmd ]] && sed -e 's,setenv rootdev.*,setenv rootdev '"$targetuuid"',g' -i "${TempDir}"/bootfs/boot/boot.cmd
[[ -f "${TempDir}"/bootfs/boot/boot.ini ]] && sed -e 's,^setenv rootdev.*$,setenv rootdev "'"$targetuuid"'",' -i "${TempDir}"/bootfs/boot/boot.ini
[[ -f "${TempDir}"/rootfs/boot/boot.ini ]] && sed -e 's,^setenv rootdev.*$,setenv rootdev "'"$targetuuid"'",' -i "${TempDir}"/rootfs/boot/boot.ini
fi
if [[ -f "${TempDir}"/bootfs/boot/extlinux/extlinux.conf ]]; then
sed -e 's,root='"$root_uuid"',root='"$targetuuid"',g' -i "${TempDir}"/bootfs/boot/extlinux/extlinux.conf
[[ -f "${TempDir}"/bootfs/boot/boot.cmd ]] && rm "${TempDir}"/bootfs/boot/boot.cmd
else
mkimage -C none -A arm -T script -d "${TempDir}"/bootfs/boot/boot.cmd "${TempDir}"/bootfs/boot/boot.scr >/dev/null 2>&1 || (echo 'Error while creating U-Boot loader image with mkimage' >&2 ; exit 5)
fi
# fstab adj
if [[ "$1" != "$2" ]]; then
echo "$emmcbootuuid /media/mmcboot ext4 ${mountopts[ext4]}" >> "${TempDir}"/rootfs/etc/fstab
echo "/media/mmcboot/boot /boot none bind 0 0" >> "${TempDir}"/rootfs/etc/fstab
fi
# if the rootfstype is not defined as cmdline argument on armbianEnv.txt
if ! grep -qE '^rootfstype=.*' "${TempDir}"/bootfs/boot/armbianEnv.txt; then
# Add the line of type of the selected rootfstype to the file armbianEnv.txt
[[ -f "${TempDir}"/bootfs/boot/armbianEnv.txt ]] && echo "rootfstype=$choosen_fs" >> "${TempDir}"/bootfs/boot/armbianEnv.txt
fi
if [[ $eMMCFilesystemChoosen =~ ^(btrfs|f2fs)$ ]]; then
echo "$targetuuid / $choosen_fs ${mountopts[$choosen_fs]}" >> "${TempDir}"/rootfs/etc/fstab
# swap file not supported under btrfs but we might have made a partition
[[ -n ${emmcswapuuid} ]] && sed -e 's,/var/swap.*,'$emmcswapuuid' none swap sw 0 0,g' -i "${TempDir}"/rootfs/etc/fstab
if [[ -f "${TempDir}"/bootfs/boot/armbianEnv.txt ]]; then
sed -e 's,rootfstype=.*,rootfstype='$eMMCFilesystemChoosen',g' -i "${TempDir}"/bootfs/boot/armbianEnv.txt
else
echo 'rootfstype='$eMMCFilesystemChoosen >>"${TempDir}"/bootfs/boot/armbianEnv.txt
fi
else
[[ -f "${TempDir}"/bootfs/boot/armbianEnv.txt ]] && sed -e 's,rootfstype=.*,rootfstype='$choosen_fs',g' -i "${TempDir}"/bootfs/boot/armbianEnv.txt
echo "$targetuuid / $choosen_fs ${mountopts[$choosen_fs]}" >> "${TempDir}"/rootfs/etc/fstab
fi
if [[ $(type -t write_uboot_platform) != function ]]; then
echo "Error: no u-boot package found, exiting"
exit 6
fi
write_uboot_platform "$DIR" $emmccheck
fi
# Boot from SD card, root = SATA / USB
#
if [[ $2 == ${DISK_ROOT_PART} && -z $1 && $DEVICE_TYPE != uefi ]]; then
echo -e "Finishing transfer to disk, boot from SD/eMMC" >> $logfile
[[ -f /boot/boot.cmd ]] && sed -e 's,root='"$root_uuid"',root='"$satauuid"',g' -i /boot/boot.cmd
[[ -f /boot/boot.ini ]] && sed -e 's,^setenv rootdev.*$,setenv rootdev "'"$satauuid"'",' -i /boot/boot.ini
# new boot scripts
if [[ -f /boot/armbianEnv.txt ]]; then
sed -e 's,rootdev=.*,rootdev='"$satauuid"',g' -i /boot/armbianEnv.txt
grep -q '^rootdev' /boot/armbianEnv.txt || echo "rootdev=$satauuid" >> /boot/armbianEnv.txt
sed -e 's,rootfstype=.*,rootfstype='$FilesystemChoosen',g' -i /boot/armbianEnv.txt
grep -q '^rootfstype' /boot/armbianEnv.txt || echo "rootfstype=$FilesystemChoosen" >> /boot/armbianEnv.txt
else
sed -e 's,setenv rootdev.*,setenv rootdev '"$satauuid"',' -i /boot/boot.cmd
sed -e 's,setenv rootdev.*,setenv rootdev '"$satauuid"',' -i /boot/boot.ini
sed -e 's,setenv rootfstype.*,setenv rootfstype '"$FilesystemChoosen"',' -i /boot/boot.cmd
sed -e 's,setenv rootfstype.*,setenv rootfstype '"$FilesystemChoosen"',' -i /boot/boot.ini
fi
if [[ -f /bootfs/boot/extlinux/extlinux.conf ]]; then
sed -e 's,root='"$root_uuid"',root='"$satauuid"',g' -i /boot/extlinux/extlinux.conf
[[ -f /boot/boot.cmd ]] && rm /boot/boot.cmd
fi
[[ -f /boot/boot.cmd ]] && mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr >/dev/null 2>&1 || (echo 'Error while creating U-Boot loader image with mkimage' >&2 ; exit 7)
mkdir -p "${TempDir}"/rootfs/media/mmc/boot
echo "${sduuid} /media/mmcboot ext4 ${mountopts[ext4]}" >> "${TempDir}"/rootfs/etc/fstab
echo "/media/mmcboot/boot /boot none bind 0 0" >> "${TempDir}"/rootfs/etc/fstab
echo "$satauuid / $FilesystemChoosen ${mountopts[$FilesystemChoosen]}" >> "${TempDir}"/rootfs/etc/fstab
# recreate swap file if already existing (might be missing since zram only)
if [ -f /var/swap ]; then
fallocate -l 128M "${TempDir}"/rootfs/var/swap || dd if=/dev/zero of="${TempDir}"/rootfs/var/swap bs=1M count=128 status=noxfer
mkswap "${TempDir}"/rootfs/var/swap
fi
fi
if [[ $2 == ${DISK_ROOT_PART} && -z $1 && $DEVICE_TYPE = uefi ]]; then
# create swap file size of your memory so we can use it for S4
MEM_TOTAL=$(cat /proc/meminfo | awk '/MemTotal/ {print $2}')
# but no more then 16Gb
[[ ${MEM_TOTAL} -gt 16107868 ]] && MEM_TOTAL=16107868
dd if=/dev/zero of="${TempDir}"/rootfs/swapfile bs=${MEM_TOTAL} count=1024 conv=notrunc >> $logfile
mkswap "${TempDir}"/rootfs/swapfile >> $logfile
chmod 0600 "${TempDir}"/rootfs/swapfile
sed -i "/^GRUB_CMDLINE_LINUX_DEFAULT=/ s/\"$/ resume=UUID=$(findmnt -no UUID -T "${TempDir}"/rootfs/swapfile) resume_offset=$(filefrag -v "${TempDir}"/rootfs/swapfile |grep " 0:"| awk '{print $4}' | cut -d"." -f1)\"/" "${TempDir}"/rootfs/etc/default/grub.d/98-armbian.cfg
echo "GRUB_DISABLE_OS_PROBER=false" >> "${TempDir}"/rootfs/etc/default/grub.d/98-armbian.cfg
echo "$satauuid / $FilesystemChoosen ${mountopts[$FilesystemChoosen]}" >> "${TempDir}"/rootfs/etc/fstab
echo "UUID=$(lsblk -io KNAME,LABEL,UUID,PARTLABEL | grep $diskcheck | grep -i efi | awk '{print $3}') /boot/efi vfat defaults 0 2" >> "${TempDir}"/rootfs/etc/fstab
echo "/swapfile none swap sw 0 0" >> "${TempDir}"/rootfs/etc/fstab
cat <<-hibernatemenu >"${TempDir}"/rootfs/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
[Re-enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
[Re-enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
hibernatemenu
efi_partition=$(LC_ALL=C fdisk -l "/dev/$diskcheck" 2>/dev/null | grep "EFI" | awk '{print $1}')
echo "Install GRUB to $efi_partition"
mkdir -p "${TempDir}"/rootfs/{dev,proc,sys}
mount $efi_partition "${TempDir}"/rootfs/boot/efi
mount --bind /dev "${TempDir}"/rootfs/dev
mount --make-rslave --bind /dev/pts "${TempDir}"/rootfs/dev/pts
mount --bind /proc "${TempDir}"/rootfs/proc
mount --make-rslave --rbind /sys "${TempDir}"/rootfs/sys
arch_target=$([[ $(arch) == x86_64 ]] && echo "x86_64-efi" || echo "arm64-efi")
chroot "${TempDir}/rootfs/" /bin/bash -c "grub-install --target=$arch_target --efi-directory=/boot/efi --bootloader-id=Armbian" >> $logfile
chroot "${TempDir}/rootfs/" /bin/bash -c "grub-mkconfig -o /boot/grub/grub.cfg" >> $logfile
grep "${TempDir}"/rootfs/sys /proc/mounts | cut -f2 -d" " | sort -r | xargs umount -n
umount "${TempDir}"/rootfs/proc
umount "${TempDir}"/rootfs/dev/pts
umount "${TempDir}"/rootfs/dev
umount "${TempDir}"/rootfs/boot/efi
fi
# Boot from MTD flash, root = SATA / USB
#
if [[ $1 == *mtd* ]]; then
if [[ -f "${TempDir}"/rootfs/boot/armbianEnv.txt ]]; then
sed -e 's,rootdev=.*,rootdev='"$satauuid"',g' -i "${TempDir}"/rootfs/boot/armbianEnv.txt
fi
if [[ -f "${TempDir}"/rootfs/boot/extlinux/extlinux.conf ]]; then
sed -e 's,root='"$root_uuid"',root='"$satauuid"',g' -i "${TempDir}"/rootfs/boot/extlinux/extlinux.conf
fi
echo "$satauuid / $FilesystemChoosen ${mountopts[$FilesystemChoosen]}" >> "${TempDir}"/rootfs/etc/fstab
fi
# recreate OMV mounts at destination if needed
grep -q ' /srv/' /etc/fstab
if [ $? -eq 0 -a -f /etc/default/openmediavault ]; then
echo -e '# >>> [openmediavault]' >> "${TempDir}"/rootfs/etc/fstab
grep ' /srv/' /etc/fstab | while read ; do
echo "${REPLY}" >> "${TempDir}"/rootfs/etc/fstab
mkdir -p -m700 "${TempDir}/rootfs$(awk -F" " '{print $2}' <<<"${REPLY}")"
done
echo -e '# <<< [openmediavault]' >> "${TempDir}"/rootfs/etc/fstab
fi
echo -e "\nChecking again for open files:" >> $logfile
lsof / | awk 'NR==1 || $4~/[0-9][uw]/' | grep -v "^COMMAND" >> $logfile
LANG=C echo -e "\n$(date): Finished\n\n" >> $logfile
cat $logfile > "${TempDir}"/rootfs${logfile}
sync
umount "${TempDir}"/rootfs
mountpoint -q "${TempDir}"/bootfs && umount "${TempDir}"/bootfs
} # create_armbian

Also for /dev and /dev/shm, I honestly have no idea where to even adjust their mount options. Can probbaly found out.

@Smankusors
Copy link
Contributor Author

hmm I'm still unsure about /dev and /dev/shm, because most distros are not doing this by default

AFAIK, only Alpine Linux does the /dev and /dev/shm securely

more readings:

  1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940171
    Ubuntu/Debian previously used nosuid,noexec for mounting /dev, but then they removed noexec because certain program breaks
  2. https://unix.stackexchange.com/questions/670362/mounting-dev-shm-with-noexec
  3. https://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec
    certain apt packages may break, I don't know if this still relevant today 馃憖

so... unless if Armbian really hardcore on security, I think it's best to leave the /dev, /dev/shm, and /tmp as is. Then, it's up to the end users if they want to harden them or not, wdyt?

@igorpecovnik igorpecovnik added Ready to merge Reviewed, tested and ready for merge 05 Milestone: Second quarter release labels Apr 15, 2024
@ColorfulRhino
Copy link
Collaborator

hmm I'm still unsure about /dev and /dev/shm, because most distros are not doing this by default

AFAIK, only Alpine Linux does the /dev and /dev/shm securely

more readings:

1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940171
   Ubuntu/Debian previously used `nosuid,noexec` for mounting `/dev`, but then they removed noexec because certain program breaks

2. https://unix.stackexchange.com/questions/670362/mounting-dev-shm-with-noexec

3. https://serverfault.com/questions/72356/how-useful-is-mounting-tmp-noexec
   certain apt packages may break, I don't know if this still relevant today 馃憖

Thanks for checking this out!

so... unless if Armbian really hardcore on security, I think it's best to leave the /dev, /dev/shm, and /tmp as is. Then, it's up to the end users if they want to harden them or not, wdyt?

Yeah. We should keep this in out mind for later though. But there are a lot more things that we should do first to improve Armbian's security 馃槄

@ColorfulRhino ColorfulRhino merged commit 4df3bdd into armbian:main Apr 17, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joekhoobyar joekhoobyar joekhoobyar approved these changes

Assignees
No one assigned
Labels
05 Milestone: Second quarter release Ready to merge Reviewed, tested and ready for merge size/small PR with less then 50 lines
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Smankusors @ColorfulRhino @joekhoobyar @igorpecovnik