lock down interpreters / compilers (interpreter lock) (compiler lock)


ID: 941
PHID: PHID-TASK-qbnj6za35lnyztxsu2pf
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal



(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? should be implemented first before this one.

This could be implemented by removing read access for user user from interpreter’s such as python and compilers such as gcc.

Interpreter lock might break many things. Not clear yet if this might become a default enabled feature.

So we don’t have to parse on/off for each, best to make a syntax similar to systemctl. Here:

  • permission-hardener enable all
  • permission-hardener disable all
  • permission-hardener enable compiler
  • permission-hardener disable compiler
  • permission-hardener enable interpreter
  • permission-hardener disable interpreter