implement remount-secure

etc/default/grub.d/40_remmount-secure.cfg

@@ -0,0 +1,10 @@
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
+
+## Re-mount with nodev, nosuid.
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
+
+## Re-mount with nodev, nosuid, noexec.
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1"

usr/bin/remount-secure

@@ -13,51 +13,52 @@ set -e
 set -o pipefail
 set -o nounset
 
-## Not simple with dracut.
-# if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
-#    ## pre.bsh would `source` the following folders:
-#    ## /etc/remount-secure_pre.d/*.conf
-#    ## /usr/local/etc/remount-secure_pre.d/*.conf
-#    # shellcheck disable=SC1091
-#    source /usr/libexec/helper-scripts/pre.bsh
-# fi
-
 if test -o xtrace ; then
    output_command=true
 else
    output_command=echo
 fi
 
-if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then
+mkdir --parents "/run/remount-secure"
-   $output_command "INFO: file /etc/remount-disable exists. Doing nothing."
-   exit 0
-fi
-
-if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then
-   noexec=false
-   $output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists."
-else
-   if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then
-      noexec=true
-      $output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists."
-   else
-      $output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist."
-   fi
-fi
-
-mkdir --parents "/var/run/remount-secure"
-
-[[ -v noexec ]] || noexec=""
-[[ -v noexec_maybe ]] || noexec_maybe=""
-
-if [ "$noexec" = "true" ]; then
-   noexec_maybe=",noexec"
-fi
 
 exit_code=0
 
 mount_output="$(mount)"
 
+parse_options() {
+   ## Thanks to:
+   ## http://mywiki.wooledge.org/BashFAQ/035
+
+   while :
+   do
+       case ${1:-} in
+           --remountnoexec)
+               $output_command "INFO: --remountnoexec"
+               noexec_maybe=",noexec"
+               shift
+               ;;
+           --force)
+               $output_command "INFO: --force"
+               option_force=true
+               shift
+               ;;
+           --)
+               shift
+               break
+               ;;
+           -*)
+               echo "unknown option: $1" >&2
+               exit 1
+               ;;
+           *)
+               break
+               ;;
+       esac
+   done
+
+   [[ -v noexec_maybe ]] || noexec_maybe=""
+}
+
 remount_secure() {
    ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
    ## which called this function.
@@ -78,7 +79,7 @@ remount_secure() {
    ## When this package is upgraded, the systemd unit will run again.
    ## If the user meanwhile manually relaxed mount options, this should not be undone.
 
-   if [ "${1:-}" == "--force" ]; then
+   if [ "$option_force" == "true" ]; then
       if [ -e "$status_file_full_path" ]; then
          $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want."
          return 0
@@ -137,6 +138,7 @@ end() {
 }
 
 main() {
+   parse_options "$@"
    _home "$@"
    _run "$@"
    _dev_shm "$@"

usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh

@@ -3,15 +3,22 @@
 ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## This script is intended to remount specified mount points with more secure
+## options based on kernel command line parameters.
+
 remount_hook() {
    local remount_action
    remount_action=$(getarg remountsecure)
 
-   if [ ! "$remount_action" = "yes" ]; then
+   if getargbool 1 remountnoexec; then
+      remount-secure --remountnoexec
       return 0
    fi
 
-   remount-secure
+   if getargbool 1 remountsecure; then
+      remount-secure
+      return 0
+   fi
 }
 
 remount_hook