Should security-misc also disable coredumps? For distros that have them enabled by default.
It wouldn’t be needed on Whonix as Debian disables them by default and Whonix doesn’t re-enable them but it may be useful for other distros that are using security-misc.
I can add systemd sandboxing if needed (likely not).
I am wondering if systemd sandboxing can do more harm than good here.
What’s the threat model? /proc containing at early boot something
malicious, which would upon using mount with remount options, result
in exploiting a vulnerability in mount, then leading to root compromise?
On the other hand, any (distribution) upgrade of kernel, mount or any
dependent libraries requiring any new seccomp could lead to remount fail
“in the middle”, hence end up with an unbootable system?
I just think we should sandbox as much as possible, especially root processes. A compromised systemd service could pretty easily be turned into a rootkit.
That’s unlikely as I doubt mount will be updated much and this is what testers versions are for. Any major kernel update will likely be part of the testers only version of Whonix. I could remove the syscall filter so it’d be even more unlikely for it to break.
It’s hard to identify which one is the offending one. Could be multiple or some combination that don’t work.
Also I would like to rehash if it’s really worth it. Is what we are doing different from what systemd or other default services are doing (use mount) which are not using that kind of hardening?
It might be PrivateMounts=true. Try uncommenting just that.
Most default systemd services use hardening by default. See inside /lib/systemd/system/systemd-logind.service for example. I find it unlikely that whatever systemd uses for mounting doesn’t use hardening also.
We should at least keep PrivateNetwork=true. That gets rid of all network access from the service which would reduce the chance of somebody exploiting it. Weird that Qubes is the only one breaking from this.