Information
ID: 941
PHID: PHID-TASK-qbnj6za35lnyztxsu2pf
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal
Description
https://chromium.googlesource.com/chromiumos/docs/+/HEAD/security/noexec_shell_scripts.md
(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? should be implemented first before this one.
This could be implemented by removing read access for user user from interpreter’s such as python and compilers such as gcc.
Interpreter lock might break many things. Not clear yet if this might become a default enabled feature.
So we don’t have to parse on/off for each, best to make a syntax similar to systemctl. Here:
permission-hardener enable allpermission-hardener disable allpermission-hardener enable compilerpermission-hardener disable compilerpermission-hardener enable interpreterpermission-hardener disable interpreter