Secure Remount Without Remounting At All For The Most Part - Secure Mount

etc/systemd/system/boot-efi.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid

etc/systemd/system/boot.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid

etc/systemd/system/home.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,nosuid

etc/systemd/system/tmp.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid

etc/systemd/system/usr-share.mount.d/50_security-misc.conf

@@ -0,0 +1,5 @@
+[Unit]
+Before=usr.mount
+
+[Mount]
+Options=nodev,nosuid

etc/systemd/system/usr.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev

etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid

etc/systemd/system/var-log.mount.d/50_security-misc.conf

@@ -0,0 +1,5 @@
+[Unit]
+Before=var.mount
+
+[Mount]
+Options=nodev,noexec,nosuid

etc/systemd/system/var-tmp.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid

etc/systemd/system/var.mount.d/50_security-misc.conf

@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,nosuid

lib/systemd/system/boot.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /boot with no dedicated partition
+
+[Mount]
+What=/boot
+Where=/boot
+Options=defaults,nodev,noexec,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/home.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /home with no dedicated partition
+
+[Mount]
+What=/home
+Where=/home
+Options=defaults,nodev,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/remount-api.service

@@ -0,0 +1,26 @@
+# https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+# When not editing fstab, some filesystems have to be remounted in order to be hardened
+
+[Unit]
+Description=Remounts what can not be mounted with secure options in the first run without having to edit fstab
+
+Before=sysinit-post.target
+Before=basic.target
+Before=multi-user.target
+Before=graphical.target
+Before=getty-pre.target
+Before=network-pre.target
+
+After=local-fs.target
+After=sysinit.target
+After=qubes-sysinit.service
+
+Requires=local-fs.target
+Requires=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=remount-api
+
+[Install]
+WantedBy=sysinit-post.target

lib/systemd/system/tmp.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /tmp with no dedicated partition
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Options=defaults,nodev,noexec,nosuid
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/usr-share.mount

@@ -0,0 +1,11 @@
+[Unit]
+Description=Bind Mount /usr/share with no dedicated partition
+Before=usr.mount
+
+[Mount]
+What=/usr/share
+Where=/usr/share
+Options=defaults,nodev,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/usr.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /usr with no dedicated partition
+
+[Mount]
+What=/usr
+Where=/usr
+Options=defaults,nodev,bind
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/var-log.mount

@@ -0,0 +1,11 @@
+[Unit]
+Description=Bind Mount /var/log with no dedicated partition
+Before=var.mount
+
+[Mount]
+What=/var/log
+Where=/var/log
+Options=defaults,nodev,noexec,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/var-tmp.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /var/tmp with no dedicated partition
+
+[Mount]
+What=/var/tmp
+Where=/tmp
+Options=defaults,nodev,noexec,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target

lib/systemd/system/var.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /var with no dedicated partition
+
+[Mount]
+What=/var
+Where=/var
+Options=defaults,nodev,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target

usr/bin/remount-api

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+## This one seems to be superfluous because debian seems to mount run hardened anyway
+# mount -o defaults,nodev,noexec,nosuid,remount /run
+
+mount -o defaults,nodev,noexec,nosuid,remount /dev/shm
+mount -o defaults,noexec,nosuid,remount /dev