Better Secure Remount

debian/security-misc.postinst

@@ -61,6 +61,8 @@ pam-auth-update --package
 /usr/libexec/security-misc/permission-lockdown
 permission_hardening
 
+/usr/libexec/security-misc/generate-secure-remount-config
+
 ## https://phabricator.whonix.org/T377
 ## Debian has no update-grub trigger yet:
 ## https://bugs.debian.org/481542

lib/systemd/system/remount-secure.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Remount partitions with hardened mount options.
+After=sysinit.target
+## so that these services don't fail to start
+Before=systemd-logind.service power-profiles-daemon.service switcheroo-control.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/security-misc/secure-remount
+
+[Install]
+WantedBy=sysinit.target

usr/libexec/security-misc/generate-secure-remount-config

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+config_file="/usr/lib/security-misc_secure-remount.conf"
+
+if [ -f $config_file ]
+then
+rm $config_file
+fi
+touch $config_file
+chmod u+x $config_file
+
+echo "/                             /               ext4    defaults,remount  0 2" >> $config_file
+echo "/dev/shm                      /dev/shm        ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+echo "/dev                          /dev            ext4    defaults,nosuid,noexec,remount        0 2" >> $config_file
+echo "/run                          /run            ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+
+if grep --quiet " /boot " /etc/fstab
+then
+echo "/boot                         /boot           ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+else
+echo "/boot                         /boot           ext4    defaults,nosuid,nodev,noexec,bind     0 2" >> $config_file
+fi
+
+if grep --quiet " /boot/efi " /etc/fstab
+then
+echo "/boot/efi                    /boot/efi        vfat    defaults,nosuid,nodev,noexec,umask=0077,remount  0 2" >> $config_file
+fi
+
+if grep --quiet " /home " /etc/fstab
+then
+echo "/home                         /home           ext4    defaults,nosuid,nodev,remount         0 2" >> $config_file
+else
+echo "/home                         /home           ext4    defaults,nosuid,nodev,bind            0 2" >> $config_file
+fi
+
+if grep --quiet " /tmp " /etc/fstab
+then
+echo "/tmp                          /tmp            ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+else
+echo "tmpfs                         /tmp            tmpfs   defaults,nosuid,nodev,noexec          0 0" >> $config_file
+fi
+
+if grep --quiet " /var/log/audit " /etc/fstab
+then
+echo "/var/log/audit                /log/audit      ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+fi
+
+if grep --quiet " /var/tmp " /etc/fstab
+then
+echo "/var/tmp                      /var/tmp        ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+else
+echo "/tmp                          /var/tmp        none    defaults,nosuid,nodev,noexec,bind     0 0" >> $config_file
+fi
+
+if grep --quiet " /var/log " /etc/fstab
+then
+echo "/var/log                      /var/log        ext4    defaults,nosuid,nodev,noexec,remount  0 2" >> $config_file
+else
+echo "/var/log                      /var/log        ext4    defaults,nosuid,nodev,noexec,bind     0 2" >> $config_file
+fi
+
+if grep --quiet " /var " /etc/fstab
+then
+echo "/var                          /var            ext4    defaults,nosuid,nodev,remount         0 2" >> $config_file
+else
+echo "/var                          /var            ext4    defaults,nosuid,nodev,bind            0 2" >> $config_file
+fi

usr/libexec/security-misc/secure-remount

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+config_file="/usr/lib/security-misc_secure-remount.conf"
+
+mount --fstab $config_file --all
+
+echo "Partitions securely remounted by security-misc" >&2