Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Bind Mount & Protect Hardware #202

Closed
wants to merge 2 commits into from
Closed

Secure Bind Mount & Protect Hardware #202

wants to merge 2 commits into from

Conversation

monsieuremre
Copy link
Contributor

Hello. This pull request resolves two currently open issues. One is protecting hardware by limiting access to /proc and /sys. Well good news. I present you the best way possible. Mounting proc with subset=pid ensure that only the pid subset under proc is visible, everything else is invisible. This is also the case for root. No one can see anything. /proc/dma, /proc/iomem, /proc/ioports, /proc/meminfo, /proc/kallsyms, /proc/kcore and literally tons of other stuff, everything protected even from root. Just ls /proc to see for yourself what gets hidden.

When it comes to /sys, starting based on this comment, I found the sources of breakages. The comment is true, but not complete, because there are also other subsets that break too, apart from just fs. Those are enabled, and everything else is disabled. Tested.

And bind mounting. You said not having bind mounts is a big deal. You said binds are important, they are our lives. Well. You say no more. I give you binds, a lot of them, and them only. At this point, we might as well just bind everything, disregarding if it has a proper real partition. Because even if it does have a partition, bind mounting to itself does no harm literally. The overhead seems to be really really minimal and unnoticable. So this is the current suggestion. Test for yourself and report please.

@adrelanos
Copy link
Member

Thank you, there's some really nice research here!

I am afraid, we are going in cycles here. Some stuff disregarded here...

If a systemd unit file based implementation, then there's already a better systemd unit file here:
https://github.com/Kicksecure/security-misc/blob/master/usr/lib/systemd/system/remount-secure.service

related:
https://www.kicksecure.com/wiki/Dev/remount-secure#systemd_unit_file_based_mount_options_hardening

The existing script remount-secure seems also better:
https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure

  • configureable
  • error handling
  • log output

I would prefer to improve that instead.

  • Any wrong / missing mount options (if any).
  • --make-private (which seems interesting)

Secure mount options should not be mixed with:

I am not sure this can be merged. But just leave it open. There are really good suggestions here.

adrelanos
adrelanos reviewed Feb 21, 2024
View reviewed changes
usr/bin/secure-bind-protect-hardware
mount --options defaults,nosuid,nodev --bind --make-private /home /home
mount --options defaults,nodev,nosuid --bind --make-private /tmp /tmp
mount --options defaults,nodev,nosuid,noexec --bind --make-private /boot/efi /boot/efi
mount --options defaults,nodev,noosuid,noexec --bind --make-private /boot /boot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Type noosuid here but nvm.

@adrelanos
Copy link
Member

Adding more folders to remount-secure now...

adrelanos added a commit to adrelanos/security-misc that referenced this pull request Feb 22, 2024
@adrelanos
add more bind mounts of mount options hardening
38783fa 
as suggested in Kicksecure#202
adrelanos added a commit to adrelanos/security-misc that referenced this pull request Feb 22, 2024
@adrelanos
fix home_noexec_maybe -> most_noexec_maybe
7c7b4b2 
Kicksecure#202
adrelanos added a commit to adrelanos/security-misc that referenced this pull request Feb 22, 2024
@adrelanos
allow /opt exec as usually optional binaries are placed there such as…
1e1613a 
… firefox

Kicksecure#202
adrelanos added a commit to adrelanos/security-misc that referenced this pull request Feb 22, 2024
@adrelanos
comment
c0f98b0 
Kicksecure#202
@adrelanos
Copy link
Member

Done.

@adrelanos adrelanos mentioned this pull request Feb 22, 2024
Closed
@adrelanos
Copy link
Member

Changes suggested here:

@adrelanos adrelanos closed this Feb 22, 2024
@adrelanos adrelanos mentioned this pull request Feb 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrelanos adrelanos adrelanos left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@monsieuremre @adrelanos