diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 8df36e05..84b5f183 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -61,6 +61,8 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening +/usr/libexec/security-misc/generate-secure-remount-config + ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index ba6e0176..a4fc0345 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -2,15 +2,16 @@ ## See the file COPYING for copying conditions. [Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Description=Remount partitions with hardened mount options. Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no -Before=sysinit.target +After=sysinit.target +## so that these services don't fail to start Requires=local-fs.target After=local-fs.target - After=qubes-sysinit.service +Before=systemd-logind.service power-profiles-daemon.service switcheroo-control.service networking.service dbus.service [Service] Type=oneshot diff --git a/usr/libexec/security-misc/generate-secure-remount-config b/usr/libexec/security-misc/generate-secure-remount-config new file mode 100644 index 00000000..a42efc45 --- /dev/null +++ b/usr/libexec/security-misc/generate-secure-remount-config @@ -0,0 +1,66 @@ +#!/bin/bash + +config_file="/usr/lib/security-misc_secure-remount.conf" + +if [ -f $config_file ] +then +rm $config_file +fi +touch $config_file + +echo "/ / none defaults,remount 0 2" >> $config_file +echo "/dev/shm /dev/shm none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/dev /dev none defaults,nosuid,noexec,remount 0 2" >> $config_file +echo "/run /run none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file + +if grep --quiet " /boot " /etc/fstab +then +echo "/boot /boot none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "/boot /boot none defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file +fi + +if grep --quiet " /boot/efi " /etc/fstab +then +echo "/boot/efi /boot/efi vfat defaults,nosuid,nodev,noexec,umask=0077,remount 0 2" >> $config_file +fi + +if grep --quiet " /home " /etc/fstab +then +echo "/home /home none defaults,nosuid,nodev,remount 0 2" >> $config_file +else +echo "/home /home none defaults,nosuid,nodev,bind 0 2" >> $config_file +fi + +if grep --quiet " /tmp " /etc/fstab +then +echo "/tmp /tmp none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" >> $config_file +fi + +if grep --quiet " /var/log/audit " /etc/fstab +then +echo "/var/log/audit /log/audit none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +fi + +if grep --quiet " /var/tmp " /etc/fstab +then +echo "/var/tmp /var/tmp none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "/tmp /var/tmp none defaults,nosuid,nodev,noexec,bind 0 0" >> $config_file +fi + +if grep --quiet " /var/log " /etc/fstab +then +echo "/var/log /var/log none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "/var/log /var/log none defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file +fi + +if grep --quiet " /var " /etc/fstab +then +echo "/var /var none defaults,nosuid,nodev,remount 0 2" >> $config_file +else +echo "/var /var none defaults,nosuid,nodev,bind 0 2" >> $config_file +fi diff --git a/usr/libexec/security-misc/secure-remount b/usr/libexec/security-misc/secure-remount new file mode 100644 index 00000000..7b4196c3 --- /dev/null +++ b/usr/libexec/security-misc/secure-remount @@ -0,0 +1,7 @@ +#!/bin/bash + +config_file="/usr/lib/security-misc_secure-remount.conf" + +mount --fstab $config_file --all + +echo "Partitions securely remounted by security-misc"