There is --bind and --rbind. Looks like what we want is --rbind?
Need to make sure that the original mount is no longer accessible. For example if we mount /tmp on top of /tmp with more secure mount options, then the original /tmp must no longer be accessible. Is that the case or some trick how a non-root user could still access the original /tmp?
user@debian-buster-test:~$ sudo iptables --list
iptables/1.8.2 Failed to initialize nft: Protocol not supported
lsmod shows that fewer modules are load. And module auto loading is broken. This breaks Whonix firewall. Will therefore disable remounting /lib with nosuid,nodev. But no security reduction. There are no devices and no suid in /lib anyhow. And permission hardening was speed up so that parsing /lib in permission hardening is ok.
Dec 29 04:17:12 debian-buster-test remount-secure[410]: mount -o nosuid,nodev --bind /tmp /tmp
Dec 29 04:17:12 debian-buster-test permission-hardening[413]: /usr/lib/security-misc/permission-hardening: line 255: cannot create temp file for here-document: No such file or directory
Dec 29 04:17:12 debian-buster-test permission-hardening[413]: ERROR: cannot parse line: /usr/bin/sudo exactwhitelist
Can cause issues such as this:
How can a systemd unit alone without any others being executed at the very same time?
/run/user/1000 bypasses /run’s noexec as it is its own mount point. We might want to look into restricting that too.
It could be useful to mount /dev with noexec.
We should experiment with the ro mount option to mount directories as read-only. /sys would be a good one for this as most things don’t need to write to it.
More mount points we can restrict are:
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
I can merge that but it won’t help much. The current implementation is a dead-end. It’s needs to be replaced entirely. See my previous post. There I link to my question, the bug description and reply by systemd.