mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-14 18:00:54 +07:00
Code Issues Packages Projects Releases Wiki Activity

refactoring

Browse Source
This commit is contained in:
Patrick Schleizer
2019-12-21 05:07:10 -05:00
parent 315ce86b9a
commit ed20980f4c
2 changed files with 38 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
debian/control vendored
View File

@ -15,7 +15,7 @@ Standards-Version: 4.3.0
Package: security-misc Package: security-misc
Architecture: all Architecture: all
Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser,
apparmor-profile-anondist, ${misc:Depends} apparmor-profile-anondist, helper-scripts, ${misc:Depends}
Replaces: tcp-timestamps-disable Replaces: tcp-timestamps-disable
Description: enhances misc security settings Description: enhances misc security settings
Inspired by Kernel Self Protection Project (KSPP) Inspired by Kernel Self Protection Project (KSPP)

94
usr/lib/security-misc/remount-secure
View File

@ -8,6 +8,7 @@
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
set -x
set -e set -e
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
@ -37,90 +38,69 @@ fi
exit_code=0 exit_code=0
_home() { mount_output="$(mount)"
funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")"
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then remount_secure() {
## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
## which called this function.
status_file_name="${FUNCNAME[1]}"
## example status_file_name:
## _home
if [ -e "/var/run/remount-secure/${status_file_name}" ]; then
return 0 return 0
fi fi
new_mount_options="nosuid,nodev${noexec_maybe}" ## str_replace is provided by package helper-scripts.
if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then mount_folder="$(echo "${status_file_name}" | str_replace "_" "/")"
echo "INFO: $funcname_sanatized has already intended mount options." ## example mount_folder:
## /home
if echo "$mount_output" | grep "$mount_folder" | grep -q "$new_mount_options" ; then
echo "INFO: $mount_folder has already intended mount options."
return 0 return 0
fi fi
mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=2
if echo "$mount_output" | grep -q "$mount_folder" ; then
## Already mounted. Using remount.
mount -o "remount,${new_mount_options}" "$mount_folder"
else
## Not yet mounted. Using mount bind.
mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder"
fi
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }
_home() {
new_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
_run() { _run() {
funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")"
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then remount_secure "$@"
echo "INFO: $funcname_sanatized has already intended mount options."
return 0
fi
mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=3
touch "/var/run/remount-secure/${FUNCNAME}"
} }
_dev_shm() { _dev_shm() {
funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")"
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then remount_secure "$@"
echo "INFO: $funcname_sanatized has already intended mount options."
return 0
fi
mount -o "remount,${new_mount_options}" "$funcname_sanatized" || exit_code=4
touch "/var/run/remount-secure/${FUNCNAME}"
} }
_tmp() { _tmp() {
funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")"
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then remount_secure "$@"
echo "INFO: $funcname_sanatized has already intended mount options."
return 0
fi
mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=5
touch "/var/run/remount-secure/${FUNCNAME}"
} }
_sys_kernel_security() { _sys_kernel_security() {
funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")"
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then remount_secure "$@"
echo "INFO: $funcname_sanatized has already intended mount options."
return 0
fi
mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=6
touch "/var/run/remount-secure/${FUNCNAME}"
} }
_lib() { _lib() {
funcname_sanatized="$(echo "$FUNCNAME" | str_replace "_" "/")"
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
## Not using noexec on /lib. ## Not using noexec on /lib.
new_mount_options="nosuid,nodev" new_mount_options="nosuid,nodev"
if mount | grep "$funcname_sanatized" | grep -q "$new_mount_options" ; then remount_secure "$@"
echo "INFO: $funcname_sanatized has already intended mount options."
return 0
fi
mount -o "$new_mount_options" --bind "$funcname_sanatized" "$funcname_sanatized" || exit_code=7
touch "/var/run/remount-secure/${FUNCNAME}"
} }
end() { end() {