It’s hard to identify which one is the offending one. Could be multiple or some combination that don’t work.
Also I would like to rehash if it’s really worth it. Is what we are doing different from what systemd or other default services are doing (use mount) which are not using that kind of hardening?
It might be PrivateMounts=true. Try uncommenting just that.
Most default systemd services use hardening by default. See inside /lib/systemd/system/systemd-logind.service for example. I find it unlikely that whatever systemd uses for mounting doesn’t use hardening also.
We should at least keep PrivateNetwork=true. That gets rid of all network access from the service which would reduce the chance of somebody exploiting it. Weird that Qubes is the only one breaking from this.
When compiling the kernel, it generates system.map files. The kernel package likely puts them into /boot so we’d have to modify the package if we want to suppress the creation of them.
They get deleted at boot by a systemd service. If they get created later on, they’d get deleted next boot.
Which means there’s a time gap between re-creation and re-deletion which
could be abused even by chance by malware.
Could you look please if you can find the code which generates these
files? Maybe there is a config option already to disable it. And if not,
we could request it from upstream.