From 68c62b63643693f6a63b2b422fc7a9073d37ab80 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:05:42 +0000 Subject: [PATCH 01/13] home --- etc/systemd/system/home.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/home.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/home.mount.d/50_security-misc.conf b/etc/systemd/system/home.mount.d/50_security-misc.conf new file mode 100644 index 00000000..c21897d3 --- /dev/null +++ b/etc/systemd/system/home.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid From ffe8847879238bd9a7e800e0ee4da40aa8de2b62 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:07:40 +0000 Subject: [PATCH 02/13] Create 50_security-misc.conf --- etc/systemd/system/var.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var.mount.d/50_security-misc.conf b/etc/systemd/system/var.mount.d/50_security-misc.conf new file mode 100644 index 00000000..c21897d3 --- /dev/null +++ b/etc/systemd/system/var.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid From 7fabd371a4debae3e68c3545899e6da731ecec3d Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:08:19 +0000 Subject: [PATCH 03/13] var-log --- etc/systemd/system/var-log.mount.d | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-log.mount.d diff --git a/etc/systemd/system/var-log.mount.d b/etc/systemd/system/var-log.mount.d new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/var-log.mount.d @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From 155d491de69dc39961adca937619444a5cae59a9 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:10:06 +0000 Subject: [PATCH 04/13] fix --- etc/systemd/system/var-log.mount.d | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 etc/systemd/system/var-log.mount.d diff --git a/etc/systemd/system/var-log.mount.d b/etc/systemd/system/var-log.mount.d deleted file mode 100644 index b1451d84..00000000 --- a/etc/systemd/system/var-log.mount.d +++ /dev/null @@ -1,2 +0,0 @@ -[Mount] -Options=nodev,nosuid,noexec From 1ea3a1ad3bad4fd057971131b049afc365588ccc Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:10:15 +0000 Subject: [PATCH 05/13] var-log --- etc/systemd/system/var-log.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-log.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var-log.mount.d/50_security-misc.conf b/etc/systemd/system/var-log.mount.d/50_security-misc.conf new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/var-log.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From fc5e28229a91f16a86dcc5336ab126743cb16f46 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:10:58 +0000 Subject: [PATCH 06/13] var-tmp --- etc/systemd/system/var-tmp.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-tmp.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf b/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From 93af145da5ba48e7f681edec2752f9696cede038 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:12:00 +0000 Subject: [PATCH 07/13] Create 50_security-misc.conf --- etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf b/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From 591f8aceb1b38f815d99f32b04515ab6f295b847 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:12:30 +0000 Subject: [PATCH 08/13] tmp --- etc/systemd/system/tmp.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/tmp.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/tmp.mount.d/50_security-misc.conf b/etc/systemd/system/tmp.mount.d/50_security-misc.conf new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/tmp.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From 1943db0876f3683b49c5f705b075c74736624fdf Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:13:31 +0000 Subject: [PATCH 09/13] boot --- etc/systemd/system/boot.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/boot.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/boot.mount.d/50_security-misc.conf b/etc/systemd/system/boot.mount.d/50_security-misc.conf new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/boot.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From a85882f561d7e12be397e60fa4a5911f430df384 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:14:08 +0000 Subject: [PATCH 10/13] boot-efi --- etc/systemd/system/boot-efi.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/boot-efi.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf b/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf new file mode 100644 index 00000000..b1451d84 --- /dev/null +++ b/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid,noexec From e2b29819a13ac351507dfba883ce490e1f537cf2 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:15:24 +0000 Subject: [PATCH 11/13] usr --- etc/systemd/system/usr.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/usr.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/usr.mount.d/50_security-misc.conf b/etc/systemd/system/usr.mount.d/50_security-misc.conf new file mode 100644 index 00000000..638cb8be --- /dev/null +++ b/etc/systemd/system/usr.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev From acdda32f78dfcf6fb1624c79d7485b568d15a06e Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:16:02 +0000 Subject: [PATCH 12/13] usr-share --- etc/systemd/system/usr-share.mount.d/50_security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/usr-share.mount.d/50_security-misc.conf diff --git a/etc/systemd/system/usr-share.mount.d/50_security-misc.conf b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf new file mode 100644 index 00000000..c21897d3 --- /dev/null +++ b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf @@ -0,0 +1,2 @@ +[Mount] +Options=nodev,nosuid From cd163b99fc4e8cf10d9bad3bd34b222023cc2ae6 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 24 Jan 2024 11:33:36 +0000 Subject: [PATCH 13/13] api --- etc/default/grub.d/40_secure-mount.cfg | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/default/grub.d/40_secure-mount.cfg diff --git a/etc/default/grub.d/40_secure-mount.cfg b/etc/default/grub.d/40_secure-mount.cfg new file mode 100644 index 00000000..6e8ccc2d --- /dev/null +++ b/etc/default/grub.d/40_secure-mount.cfg @@ -0,0 +1,11 @@ +# tmp and api file systems +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX systemd.mount-extra=tmpfs:/tmp:[:tmpfs[:defaults,nodev,nosuid,noexec]]" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX systemd.mount-extra=udev:/dev:[:devtmpfs[:defaults,nosuid,noexec]]" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX systemd.mount-extra=tmpfs:/dev/shm:[:tmpfs[:defaults,nodev,nosuid,noexec]]" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX systemd.mount-extra=tmpfs:/run:[:tmpfs[:defaults,nodev,nosuid,noexec]]" +# +# +## Also binds can be done in this manner +## But how do know for sure that we can bind for example var to itself? We can't do it if var has a dedicated partitoin on disk. +## Have to find a way to make sure there is no partition before binding anything +## Possible to use if else in kernel command line?