Seems like we’ll be stuck with initramfs-tools forever or at least until/if all major distributions (or at least Debian) switch to dracut by default.
Older quote https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/:
- The initrd should mount /run as a tmpfs and pass it pre-mounted when jumping into the main system when executing systemd. The mount options should be mode=755,nodev
Newer quote https://systemd.io/INITRD_INTERFACE/
- The initrd should mount
/run/ as a tmpfs and pass it pre-mounted when jumping into the main system when executing systemd. The mount options should be
This speaks for a initrd based implementation.
If stuck, could you please ask on systemd mailing list?
Also I guess it would be better to have only 1 place to implement mount options. Either do everything inside initramfs or do everything using systemd units. Not two places to implement. I.e. not initramfs + systemd units. Reason: lower complexity.
If going the systemd way, could you please make this configurable?
Due to high potential for regressions , we’ll ship this disabled by default and then call for testers enabling this.
Using systemd unit files it may be possible to implement this by requiring kernel boot parameter
remount-secure being set by extending the
[Unit] section of the systemd unit file. Example:
Is this required? Or could be auto detected? Since you like to support non-Whonix, non-Kicksecure users (plain Debian) too, this might break when users are using other file systems such as btrfs.
Takes a string for the file system type. See mount(8) for details. This setting is optional.
Therefore I guess it can be dropped and would be auto detected by systemd if needed.
## Uncomment this to deny execution of programs in /home.
The problem with that is that this file will be replaced once a comment or something is ever changed there in the package. Would be better to add instructions there how to do that in /etc or glaceing that file in /etc perhaps. Or maybe better, instead we could probably use:
I.e. two systemd units.
home-noexec.mount and which one is used/ignored depending on
Filename could also be
What about the mount options for the root file system
How to test if
/ is mounted with
 I previously had Qubes VMs which would boot sometimes, not boot at other times or sometimes would have broken AppArmor