The nitpick first before addressing the actual real and hard question:
/lib/systemd/system/ instead as per
Good question, next question.
Non-Qubes-Whonix: file owned by nobody, created by grml-debootstrap at image creation and then left alone.
Qubes-Whonix: as per Qubes default:
dpkg -S /etc/fstab
The Qubes version is much different.
So this would require a new package which get installed in Non-Qubes-Whonix only to avoid package conflict. (And Qubes would require a separate issue and pull request [which is optional].) We don’t have such a package yet.
I am not sure if by introducing such a package we might break user customization for people who modified /etc/fstab but probably not and for Whonix 15 upgrade this is ok (and still in time).
Any naming suggestion for such a package? It’s not just
hidepid, perhaps later other fstab hardening? It’s general security also, not hardcoded for Whonix.
Can we use
/etc/fstab.d rather than
/etc/fstab while we are at it?
/etc/fstab would be really bad since it has to be complete which then might make it (Whonix|hardended debian) VM specific.
/etc/fstab.d would be super helpful if we could just harden/reconfigure
/proc rather than shipping a complete
/etc/fstab. (Then probably even Qubes compatible.) In that case we could even add this to
security-misc package too.