-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better Secure Remount #152
Changes from 9 commits
c019c2f
85c450f
3763235
fa61337
8ce90bc
3284b5a
c42e6b2
c0a5fab
9959688
7a5e745
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
[Unit] | ||
adrelanos marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Description=Remount partitions with hardened mount options. | ||
After=sysinit.target | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Something similar to this also applies: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To do this as early as possible (for better security, avoid race conditions) something like this would be desirable:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ideally something like...
But this isn't possible.
Looking for a solution. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is a lot important stuff happening during There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm. I can try, but might not work. I don't know when we do all the mounting the first time. We don't want to be before that. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok so those won't work. I still took it a little earlier. We do the remounting before networking.service and dbus.service. Before those started, malware doesn't have much of a chance probably? I think. We can identify more 'sensitive' services like these to put them in the before condition. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is the crux. There was "no answer" to my question how to have a systemd unit do the mount options hardening without race conditions:
But maybe a new systemd target could be invented one that runs after sysinit.target but before basic.target. systemd is probably flexible enough to support such a use case. The question is how. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is the critical point. Can it be done without race conditions (which broke the very old implementation and made me even port to dracut). |
||
## so that these services don't fail to start | ||
Before=systemd-logind.service power-profiles-daemon.service switcheroo-control.service networking.service dbus.service | ||
|
||
[Service] | ||
Type=oneshot | ||
ExecStart=/usr/libexec/security-misc/secure-remount | ||
|
||
[Install] | ||
WantedBy=sysinit.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
#!/bin/bash | ||
|
||
config_file="/usr/lib/security-misc_secure-remount.conf" | ||
|
||
if [ -f $config_file ] | ||
then | ||
rm $config_file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could also just unconditionally delete it using rm -f? |
||
fi | ||
touch $config_file | ||
|
||
echo "/ / none defaults,remount 0 2" >> $config_file | ||
echo "/dev/shm /dev/shm none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
echo "/dev /dev none defaults,nosuid,noexec,remount 0 2" >> $config_file | ||
echo "/run /run none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
|
||
if grep --quiet " /boot " /etc/fstab | ||
adrelanos marked this conversation as resolved.
Show resolved
Hide resolved
|
||
then | ||
echo "/boot /boot none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
else | ||
echo "/boot /boot none defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file | ||
fi | ||
|
||
if grep --quiet " /boot/efi " /etc/fstab | ||
then | ||
echo "/boot/efi /boot/efi vfat defaults,nosuid,nodev,noexec,umask=0077,remount 0 2" >> $config_file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could be avoided by doing the same for /boot which then would cover /boot/efi as well? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. On efi systems /boot/efi is automatically a seperate partition than /boot. This is the debian default installer behavior, and is also recommended when installing manually, for backwards compatibility with legacy boot. So /boot/efi is mounted seperately, on a different literal partition. That's why it has to be seperately remounted. If the system isn't uefi, we don't do the remounting. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually correction, it is not only recommended, it is mandatory that /boot/efi is a seperate partition. Because the file system has to be vfat apparently. So yes, mounting /boot won't cover /boot/efi in any case if it exists. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I hope we won't run into the "double mount" issues we had before. |
||
fi | ||
|
||
if grep --quiet " /home " /etc/fstab | ||
adrelanos marked this conversation as resolved.
Show resolved
Hide resolved
|
||
then | ||
echo "/home /home none defaults,nosuid,nodev,remount 0 2" >> $config_file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If that's the case, we can easily get rid of the 'defaults' for remounts and just stick to it when doing 'bind'. I think that might even be better regardless. Will push with changes. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes. |
||
else | ||
echo "/home /home none defaults,nosuid,nodev,bind 0 2" >> $config_file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does this undo potential user customizations in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will test and see. |
||
fi | ||
|
||
if grep --quiet " /tmp " /etc/fstab | ||
adrelanos marked this conversation as resolved.
Show resolved
Hide resolved
|
||
then | ||
echo "/tmp /tmp none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also stuff at the end |
||
else | ||
echo "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" >> $config_file | ||
fi | ||
|
||
if grep --quiet " /var/log/audit " /etc/fstab | ||
then | ||
echo "/var/log/audit /log/audit none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
fi | ||
|
||
if grep --quiet " /var/tmp " /etc/fstab | ||
then | ||
echo "/var/tmp /var/tmp none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
else | ||
echo "/tmp /var/tmp none defaults,nosuid,nodev,noexec,bind 0 0" >> $config_file | ||
fi | ||
|
||
if grep --quiet " /var/log " /etc/fstab | ||
then | ||
echo "/var/log /var/log none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file | ||
else | ||
echo "/var/log /var/log none defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file | ||
fi | ||
|
||
if grep --quiet " /var " /etc/fstab | ||
then | ||
echo "/var /var none defaults,nosuid,nodev,remount 0 2" >> $config_file | ||
else | ||
echo "/var /var none defaults,nosuid,nodev,bind 0 2" >> $config_file | ||
fi |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/bin/bash | ||
|
||
config_file="/usr/lib/security-misc_secure-remount.conf" | ||
|
||
mount --fstab $config_file --all | ||
adrelanos marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
echo "Partitions securely remounted by security-misc" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why (only) at package install time and not a boot time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it is not expected for the partitioning scheme of a system to change. This would normally only happen with a fresh install or a reinstall. And that would guarantee the package being reinstalled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A system administrator might change /etc/fstab at any time.
For example, Qubes has a package that ships /etc/fstab and there have been updated to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing this at boot time as discussed. (But does not hurt also doing this at package install time - makes this easier to debug. But then the systemd unit will take care of it anyway.)