Ok.
Seems like we’ll be stuck with initramfs-tools forever or at least until/if all major distributions (or at least Debian) switch to dracut by default.
About /run…
Older quote https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/:
- The initrd should mount /run as a tmpfs and pass it pre-mounted when jumping into the main system when executing systemd. The mount options should be mode=755,nodev
Newer quote Initrd Interface
- The initrd should mount
/run/
as a tmpfs and pass it pre-mounted when jumping into the main system when executing systemd. The mount options should be mode=755,nodev,nosuid,strictatime
.
This speaks for a initrd based implementation.
If stuck, could you please ask on systemd mailing list?
Also I guess it would be better to have only 1 place to implement mount options. Either do everything inside initramfs or do everything using systemd units. Not two places to implement. I.e. not initramfs + systemd units. Reason: lower complexity.
If going the systemd way, could you please make this configurable?
Due to high potential for regressions [1], we’ll ship this disabled by default and then call for testers enabling this.
Using systemd unit files it may be possible to implement this by requiring kernel boot parameter remount-secure
being set by extending the [Unit]
section of the systemd unit file. Example:
[Unit]
ConditionKernelCommandLine=|remount-secure
Type=ext4
Is this required? Or could be auto detected? Since you like to support non-Whonix, non-Kicksecure users (plain Debian) too, this might break when users are using other file systems such as btrfs.
Type=
Takes a string for the file system type. See mount(8) for details. This setting is optional.
Therefore I guess it can be dropped and would be auto detected by systemd if needed.
[Mount]
## Uncomment this to deny execution of programs in /home.
#Options=noexec
The problem with that is that this file will be replaced once a comment or something is ever changed there in the package. Would be better to add instructions there how to do that in /etc or glaceing that file in /etc perhaps. Or maybe better, instead we could probably use:
[Unit]
ConditionPathExists=|/etc/noexec
ConditionPathExists=|/usr/local/etc/noexec
(And/or /etc/exec
/ /usr/local/etc/exec
.)
I.e. two systemd units. home-exec.mount
and home-noexec.mount
and which one is used/ignored depending on ConditionPathExists
.
filename /lib/systemd/system/bin.mount
Must be /lib/systemd/system/bin.mount
Cannot be /lib/systemd/system/bin.mount.d
?
Filename could also be /lib/systemd/system/remount-secure-bin.mount
?
What about the mount options for the root file system /
itself?
How to test if /
is mounted with nodev
?
[1] I previously had Qubes VMs which would boot sometimes, not boot at other times or sometimes would have broken AppArmor