From f3ff32ddbb8a7cf7555b9f1b2154e83154532a3d Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 30 Dec 2019 06:39:24 -0500
Subject: [PATCH] Protect /bin/mount from 'chmod -x'.

/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist

Remove SUID from 'mount' but keep executable.

/bin/mount 745 root root
/usr/bin/mount 745 root root

https://forums.whonix.org/t/disable-suid-binaries/7706/61
---
 etc/permission-hardening.d/30_default.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 380b87b..1d0e0df 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -41,6 +41,12 @@
 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
 /usr/lib/chromium/chrome-sandbox exactwhitelist
 
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+## Protect from 'chmod -x' (and SUID removal).
+## SUID will be removed below in separate step.
+/bin/mount exactwhitelist
+/usr/bin/mount exactwhitelist
+
 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
@@ -92,6 +98,11 @@ dbus-daemon-launch-helper matchwhitelist
 # Permission Hardening
 ######################################################################
 
+## Remove SUID from 'mount' but keep executable.
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+/bin/mount 745 root root
+/usr/bin/mount 745 root root
+
 /home/ 0755 root root
 /home/user/ 0700 user user
 /root/ 0700 root root