From b1825f1e8c02f938ff3213791cbaa5ecf4dc5eb2 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:54:11 +0000 Subject: [PATCH 01/30] home --- etc/systemd/system/home.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/home.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/home.mount.d/50_security-misc.conf b/etc/systemd/system/home.mount.d/50_security-misc.conf new file mode 100644 index 00000000..c21897d3 --- /dev/null +++ b/etc/systemd/system/home.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid From 6038b7b360e3fab68b90bc80b3a89598389c85f7 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:55:57 +0000 Subject: [PATCH 02/30] var --- etc/systemd/system/var.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var.mount.d/50_security-misc.conf b/etc/systemd/system/var.mount.d/50_security-misc.conf new file mode 100644 index 00000000..c21897d3 --- /dev/null +++ b/etc/systemd/system/var.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid From baa4f120ffed16f5f813172c0d675de1162d3533 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:57:46 +0000 Subject: [PATCH 03/30] var-log --- etc/systemd/system/var-log.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-log.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var-log.mount.d/50_security-misc.conf b/etc/systemd/system/var-log.mount.d/50_security-misc.conf new file mode 100644 index 00000000..ab51a69b --- /dev/null +++ b/etc/systemd/system/var-log.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,noexec,nosuid From a25b341253bd3edc075aa8ae1a3730f16ae6ca19 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:58:20 +0000 Subject: [PATCH 04/30] var-tmp --- etc/systemd/system/var-tmp.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-tmp.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf b/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf new file mode 100644 index 00000000..ab51a69b --- /dev/null +++ b/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,noexec,nosuid From 14464b18edb58f02795c7b24591148d9eae1a15b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:59:06 +0000 Subject: [PATCH 05/30] var-log-audit --- etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf b/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf new file mode 100644 index 00000000..ab51a69b --- /dev/null +++ b/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,noexec,nosuid From 2971646baa78e08b70983f66028475d94801a225 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:59:41 +0000 Subject: [PATCH 06/30] tmp --- etc/systemd/system/tmp.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/tmp.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/tmp.mount.d/50_security-misc.conf b/etc/systemd/system/tmp.mount.d/50_security-misc.conf new file mode 100644 index 00000000..ab51a69b --- /dev/null +++ b/etc/systemd/system/tmp.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,noexec,nosuid From 97fab965ef81d31c5b31065d114d79be4ef6aa37 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:00:17 +0000 Subject: [PATCH 07/30] boot --- etc/systemd/system/boot.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/boot.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/boot.mount.d/50_security-misc.conf b/etc/systemd/system/boot.mount.d/50_security-misc.conf new file mode 100644 index 00000000..ab51a69b --- /dev/null +++ b/etc/systemd/system/boot.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,noexec,nosuid From d84d5a53ad164539519af58041206d37b5c5f9e8 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:00:51 +0000 Subject: [PATCH 08/30] boot-efi --- etc/systemd/system/boot-efi.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/boot-efi.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf b/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf new file mode 100644 index 00000000..ab51a69b --- /dev/null +++ b/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,noexec,nosuid From 3fa857b401982130ea583dbe82a61ec2ab830f78 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:02:24 +0000 Subject: [PATCH 09/30] usr --- etc/systemd/system/usr.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/usr.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/usr.mount.d/50_security-misc.conf b/etc/systemd/system/usr.mount.d/50_security-misc.conf new file mode 100644 index 00000000..638cb8be --- /dev/null +++ b/etc/systemd/system/usr.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev From 0212b4be5b2388832af53e4155c60ede6a302e3f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:03:07 +0000 Subject: [PATCH 10/30] usr-share --- etc/systemd/system/usr-share.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/usr-share.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/usr-share.mount.d/50_security-misc.conf b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf new file mode 100644 index 00000000..c21897d3 --- /dev/null +++ b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid From 8be91a16a1c9eb35ed35a3360ae33eb5cac02063 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:08:39 +0000 Subject: [PATCH 11/30] bind-directories.service --- lib/systemd/system/bind-directories.service | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 lib/systemd/system/bind-directories.service diff --git a/lib/systemd/system/bind-directories.service b/lib/systemd/system/bind-directories.service new file mode 100644 index 00000000..db985758 --- /dev/null +++ b/lib/systemd/system/bind-directories.service @@ -0,0 +1,23 @@ +[Unit] +Description=Bind directories that are sensitive but have no dedicated partition on disk + +Before=sysinit-post.target +Before=basic.target +Before=multi-user.target +Before=graphical.target +Before=getty-pre.target +Before=network-pre.target + +After=local-fs.target +After=sysinit.target +After=qubes-sysinit.service + +Requires=local-fs.target +Requires=sysinit.target + +[Service] +Type=oneshot +ExecStart=bind-directories + +[Install] +WantedBy=sysinit-post.target From e1637b8c0914c0235c15dba9f778665a5ad57558 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:26:31 +0000 Subject: [PATCH 12/30] bind-directories --- usr/bin/bind-directories | 44 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 usr/bin/bind-directories diff --git a/usr/bin/bind-directories b/usr/bin/bind-directories new file mode 100644 index 00000000..0e1883df --- /dev/null +++ b/usr/bin/bind-directories @@ -0,0 +1,44 @@ +#!/bin/bash + +if ! findmnt "/tmp" +then + mount -o defaults,nodev,noexec,nosuid -t tmpfs tmpfs /tmp +fi + +if ! findmnt "/var/tmp" +then + mount -o defaults,nodev,noexec,nosuid --bind /tmp /var/tmp +fi + +if ! findmnt "/var" +then + mount -o defaults,nodev,nosuid --bind /var /var +fi + +if ! findmnt "/var/log" +then + mount -o defaults,nodev,noexec,nosuid --bind /var/log /var/log +fi + +if ! findmnt "/boot/efi" +then + if [ -d /boot/efi ] + then + mount -o defaults,nodev,noexec,nosuid --bind /boot/efi /boot/efi + fi +fi + +if ! findmnt "/boot" +then + mount -o defaults,nodev,noexec,nosuid --bind /boot /boot +fi + +if ! findmnt "/usr/share" +then + mount -o defaults,nodev,nosuid --bind /usr/share /usr/share +fi + +if ! findmnt "/usr" +then + mount -o defaults,nodev --bind /usr /usr +fi From f18799f0eebf7ca642e84c371da33123376a64d7 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:27:54 +0000 Subject: [PATCH 13/30] fix unmount error --- etc/systemd/system/var-log.mount.d/50_security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/systemd/system/var-log.mount.d/50_security-misc.conf b/etc/systemd/system/var-log.mount.d/50_security-misc.conf index ab51a69b..6a1b3395 100644 --- a/etc/systemd/system/var-log.mount.d/50_security-misc.conf +++ b/etc/systemd/system/var-log.mount.d/50_security-misc.conf @@ -1,2 +1,5 @@ +[Unit] +Before=var.mount + [Mount] Options=nodev,noexec,nosuid From e270c61e000dbd32ddcc868912dc228c57847605 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:40:19 +0000 Subject: [PATCH 14/30] more fix --- etc/systemd/system/usr-share.mount.d/50_security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/systemd/system/usr-share.mount.d/50_security-misc.conf b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf index c21897d3..bb8ebcf0 100644 --- a/etc/systemd/system/usr-share.mount.d/50_security-misc.conf +++ b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf @@ -1,2 +1,5 @@ +[Unit] +Before=usr.mount + [Mount] Options=nodev,nosuid From 7518868cfd307e9d203f5e597ca9218137ac3ee1 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:45:08 +0000 Subject: [PATCH 15/30] remount-api.service --- lib/systemd/system/remount-api.service | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 lib/systemd/system/remount-api.service diff --git a/lib/systemd/system/remount-api.service b/lib/systemd/system/remount-api.service new file mode 100644 index 00000000..d01a2651 --- /dev/null +++ b/lib/systemd/system/remount-api.service @@ -0,0 +1,26 @@ +# https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ +# When not editing fstab, some filesystems have to be remounted in order to be hardened + +[Unit] +Description=Remounts what can not be mounted with secure options in the first run without having to edit fstab + +Before=sysinit-post.target +Before=basic.target +Before=multi-user.target +Before=graphical.target +Before=getty-pre.target +Before=network-pre.target + +After=local-fs.target +After=sysinit.target +After=qubes-sysinit.service + +Requires=local-fs.target +Requires=sysinit.target + +[Service] +Type=oneshot +ExecStart=remount-api + +[Install] +WantedBy=sysinit-post.target From 57211b1fd7ad713aacd2259c4323945dbe010a29 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 16:47:09 +0000 Subject: [PATCH 16/30] remount-api --- usr/bin/remount-api | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 usr/bin/remount-api diff --git a/usr/bin/remount-api b/usr/bin/remount-api new file mode 100644 index 00000000..9fc4a844 --- /dev/null +++ b/usr/bin/remount-api @@ -0,0 +1,7 @@ +#!/bin/bash + +## This one seems to be superfluous because debian seems to mount run hardened anyway +# mount -o defaults,nodev,noexec,nosuid,remount /run + +mount -o defaults,nodev,noexec,nosuid,remount /dev/shm +mount -o defaults,noexec,nosuid,remount /dev From f976ebc0f15d34933f771048a7c92b222e23524b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:38:27 +0000 Subject: [PATCH 17/30] Delete usr/bin/bind-directories --- usr/bin/bind-directories | 44 ---------------------------------------- 1 file changed, 44 deletions(-) delete mode 100644 usr/bin/bind-directories diff --git a/usr/bin/bind-directories b/usr/bin/bind-directories deleted file mode 100644 index 0e1883df..00000000 --- a/usr/bin/bind-directories +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -if ! findmnt "/tmp" -then - mount -o defaults,nodev,noexec,nosuid -t tmpfs tmpfs /tmp -fi - -if ! findmnt "/var/tmp" -then - mount -o defaults,nodev,noexec,nosuid --bind /tmp /var/tmp -fi - -if ! findmnt "/var" -then - mount -o defaults,nodev,nosuid --bind /var /var -fi - -if ! findmnt "/var/log" -then - mount -o defaults,nodev,noexec,nosuid --bind /var/log /var/log -fi - -if ! findmnt "/boot/efi" -then - if [ -d /boot/efi ] - then - mount -o defaults,nodev,noexec,nosuid --bind /boot/efi /boot/efi - fi -fi - -if ! findmnt "/boot" -then - mount -o defaults,nodev,noexec,nosuid --bind /boot /boot -fi - -if ! findmnt "/usr/share" -then - mount -o defaults,nodev,nosuid --bind /usr/share /usr/share -fi - -if ! findmnt "/usr" -then - mount -o defaults,nodev --bind /usr /usr -fi From bdfa883e95737873afc31379bd724b63015ffc51 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:38:55 +0000 Subject: [PATCH 18/30] Delete lib/systemd/system/bind-directories.service --- lib/systemd/system/bind-directories.service | 23 --------------------- 1 file changed, 23 deletions(-) delete mode 100644 lib/systemd/system/bind-directories.service diff --git a/lib/systemd/system/bind-directories.service b/lib/systemd/system/bind-directories.service deleted file mode 100644 index db985758..00000000 --- a/lib/systemd/system/bind-directories.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=Bind directories that are sensitive but have no dedicated partition on disk - -Before=sysinit-post.target -Before=basic.target -Before=multi-user.target -Before=graphical.target -Before=getty-pre.target -Before=network-pre.target - -After=local-fs.target -After=sysinit.target -After=qubes-sysinit.service - -Requires=local-fs.target -Requires=sysinit.target - -[Service] -Type=oneshot -ExecStart=bind-directories - -[Install] -WantedBy=sysinit-post.target From b5245a4d9014c54d59c5623b3eca8727371cf10b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:41:01 +0000 Subject: [PATCH 19/30] var.mount --- lib/systemd/system/var.mount | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 lib/systemd/system/var.mount diff --git a/lib/systemd/system/var.mount b/lib/systemd/system/var.mount new file mode 100644 index 00000000..d9fae23d --- /dev/null +++ b/lib/systemd/system/var.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Bind Mount /var with no dedicated partition + +[Mount] +What=/var +Where=/var +Options=defaults,nodev,nosuid,bind + +[Install] +WantedBy=sysinit.target From 1a60f900ba771f6d7e1df087d5804176684c7097 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:42:21 +0000 Subject: [PATCH 20/30] var-tmp.mount --- lib/systemd/system/var-tmp.mount | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 lib/systemd/system/var-tmp.mount diff --git a/lib/systemd/system/var-tmp.mount b/lib/systemd/system/var-tmp.mount new file mode 100644 index 00000000..7281d42a --- /dev/null +++ b/lib/systemd/system/var-tmp.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Bind Mount /var/tmp with no dedicated partition + +[Mount] +What=/var/tmp +Where=/tmp +Options=defaults,nodev,nosuid,bind + +[Install] +WantedBy=sysinit.target From 3b635d4f7d3842d217ed3b88950b6ce432b8b5e3 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:43:05 +0000 Subject: [PATCH 21/30] var-log.mount --- lib/systemd/system/var-log.mount | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 lib/systemd/system/var-log.mount diff --git a/lib/systemd/system/var-log.mount b/lib/systemd/system/var-log.mount new file mode 100644 index 00000000..66079b03 --- /dev/null +++ b/lib/systemd/system/var-log.mount @@ -0,0 +1,11 @@ +[Unit] +Description=Bind Mount /var/log with no dedicated partition +Before=var.mount + +[Mount] +What=/var/log +Where=/var/log +Options=defaults,nodev,noexec,nosuid,bind + +[Install] +WantedBy=sysinit.target From 64a9829e94fb7b17bc7d9ea591714bdcf52221d6 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:43:24 +0000 Subject: [PATCH 22/30] small fix --- lib/systemd/system/var-tmp.mount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/var-tmp.mount b/lib/systemd/system/var-tmp.mount index 7281d42a..04aec104 100644 --- a/lib/systemd/system/var-tmp.mount +++ b/lib/systemd/system/var-tmp.mount @@ -4,7 +4,7 @@ Description=Bind Mount /var/tmp with no dedicated partition [Mount] What=/var/tmp Where=/tmp -Options=defaults,nodev,nosuid,bind +Options=defaults,nodev,noexec,nosuid,bind [Install] WantedBy=sysinit.target From 7512e470a12565d5cf8ed70b6711ee7c481a958f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:44:30 +0000 Subject: [PATCH 23/30] boot.mount --- lib/systemd/system/boot.mount | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 lib/systemd/system/boot.mount diff --git a/lib/systemd/system/boot.mount b/lib/systemd/system/boot.mount new file mode 100644 index 00000000..d5a26841 --- /dev/null +++ b/lib/systemd/system/boot.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Bind Mount /boot with no dedicated partition + +[Mount] +What=/boot +Where=/boot +Options=defaults,nodev,noexec,nosuid,bind + +[Install] +WantedBy=sysinit.target From ee943a31d2d424b24b98e6170487fb3834128f04 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:45:23 +0000 Subject: [PATCH 24/30] boot-efi.mount --- lib/systemd/system/boot-efi.mount | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 lib/systemd/system/boot-efi.mount diff --git a/lib/systemd/system/boot-efi.mount b/lib/systemd/system/boot-efi.mount new file mode 100644 index 00000000..129c5292 --- /dev/null +++ b/lib/systemd/system/boot-efi.mount @@ -0,0 +1,11 @@ +[Unit] +Description=Bind Mount /boot/efi with no dedicated partition +Before=boot.mount + +[Mount] +What=/boot/efi +Where=/boot/efi +Options=defaults,nodev,noexec,nosuid,bind + +[Install] +WantedBy=sysinit.target From 0b134161eaadc575e1f3ed33b3b81f63a5c71199 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:46:22 +0000 Subject: [PATCH 25/30] tmp.mount --- lib/systemd/system/tmp.mount | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 lib/systemd/system/tmp.mount diff --git a/lib/systemd/system/tmp.mount b/lib/systemd/system/tmp.mount new file mode 100644 index 00000000..547e18bf --- /dev/null +++ b/lib/systemd/system/tmp.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Bind Mount /tmp with no dedicated partition + +[Mount] +What=/tmp +Where=tmpfs +Options=defaults,nodev,noexec,nosuid + +[Install] +WantedBy=sysinit.target From 1267cc845c2a5c2e12e66997c6db6110d653eb85 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:47:18 +0000 Subject: [PATCH 26/30] usr.mount --- lib/systemd/system/usr.mount | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 lib/systemd/system/usr.mount diff --git a/lib/systemd/system/usr.mount b/lib/systemd/system/usr.mount new file mode 100644 index 00000000..99840644 --- /dev/null +++ b/lib/systemd/system/usr.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Bind Mount /usr with no dedicated partition + +[Mount] +What=/usr +Where=/usr +Options=defaults,nodev,bind + +[Install] +WantedBy=sysinit.target From daed18daccfe899b41562d5ed204bfcf0bda386c Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:47:54 +0000 Subject: [PATCH 27/30] usr-share.mount --- lib/systemd/system/usr-share.mount | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 lib/systemd/system/usr-share.mount diff --git a/lib/systemd/system/usr-share.mount b/lib/systemd/system/usr-share.mount new file mode 100644 index 00000000..be86cddf --- /dev/null +++ b/lib/systemd/system/usr-share.mount @@ -0,0 +1,11 @@ +[Unit] +Description=Bind Mount /usr/share with no dedicated partition +Before=usr.mount + +[Mount] +What=/usr/share +Where=/usr/share +Options=defaults,nodev,nosuid,bind + +[Install] +WantedBy=sysinit.target From e13b39f792230320fbe219cd8f65024af0ecf0f3 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:50:31 +0000 Subject: [PATCH 28/30] boot-efi not needed to be bound if boot efi exists in a pure vfat system: if boot is on a seperate partition, boot-efi will be there so securely mounting boot will cover it. if boot is not on a seperate partition, then binding boot to itself covers boot efi. if boot efi alone is on a seperate partition, then it will be securely mounted anyway. --- lib/systemd/system/boot-efi.mount | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 lib/systemd/system/boot-efi.mount diff --git a/lib/systemd/system/boot-efi.mount b/lib/systemd/system/boot-efi.mount deleted file mode 100644 index 129c5292..00000000 --- a/lib/systemd/system/boot-efi.mount +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Bind Mount /boot/efi with no dedicated partition -Before=boot.mount - -[Mount] -What=/boot/efi -Where=/boot/efi -Options=defaults,nodev,noexec,nosuid,bind - -[Install] -WantedBy=sysinit.target From 6bf357d0b741ede8b813f387e417320768e4ac86 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 16:51:24 +0000 Subject: [PATCH 29/30] home.mount --- lib/systemd/system/home.mount | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 lib/systemd/system/home.mount diff --git a/lib/systemd/system/home.mount b/lib/systemd/system/home.mount new file mode 100644 index 00000000..9892386a --- /dev/null +++ b/lib/systemd/system/home.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Bind Mount /home with no dedicated partition + +[Mount] +What=/home +Where=/home +Options=defaults,nodev,nosuid,bind + +[Install] +WantedBy=sysinit.target From 378c00ebfe252b5990372ce28b74a836532b39c1 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sun, 19 Nov 2023 17:00:15 +0000 Subject: [PATCH 30/30] fix --- lib/systemd/system/tmp.mount | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/systemd/system/tmp.mount b/lib/systemd/system/tmp.mount index 547e18bf..419dfab6 100644 --- a/lib/systemd/system/tmp.mount +++ b/lib/systemd/system/tmp.mount @@ -2,8 +2,8 @@ Description=Bind Mount /tmp with no dedicated partition [Mount] -What=/tmp -Where=tmpfs +What=tmpfs +Where=/tmp Options=defaults,nodev,noexec,nosuid [Install]