(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?

madaidan · October 16, 2020, 5:50pm

That doesn’t seem to work. I can’t get a shell in initramfs. Nothing happens.

Patrick · October 16, 2020, 5:53pm

Could you try a “proper” initramfs shell instead please?

From initramfs-tools(7) — initramfs-tools-core — Debian buster — Debian Manpages …

Kernel parameter break=bottom might give a initramfs rescue shell which could be used for experimentation, i.e. manually running mount commands.

madaidan · October 16, 2020, 6:00pm

That doesn’t work either. It just makes it hang during boot.

madaidan · October 16, 2020, 6:15pm

Figured out how to get an initramfs shell from the GRUB command line:

root=(hd0,msdos1)
linux /boot/vmlinuz-4.19.0-11-amd64
initrd /boot/initrd.img-4.19.0-11-amd64
boot

Will investigate the remount-secure issue now.

madaidan · October 16, 2020, 6:46pm

Remounting /run from initramfs definitely works.

grub> root=(hd0,msdos1)
grub> linux /boot/vmlinuz-4.19.0-11-amd64
grub> initrd /boot/initrd.img-4.19.0-11-amd64
grub> boot

(initramfs) echo "BOOT_IMAGE=/boot/vmlinuz-$(uname -r) root=/dev/vda1" > /cmdline-fake
(initramfs) mount -o bind /cmdline-fake /proc/cmdline
(initramfs) sh /scripts/functions
(initramfs) mount -o remount,nosuid,nodev,noexec /run
(initramfs) /init
(initramfs) exit

/tmp doesn’t seem to work however (probably being overwritten by systemd or something).

madaidan · October 16, 2020, 6:59pm

Got them all:

grub> root=(hd0,msdos1)
grub> linux /boot/vmlinuz-4.19.0-11-amd64
grub> initrd /boot/initrd.img-4.19.0-11-amd64
grub> boot

(initramfs) echo "BOOT_IMAGE=/boot/vmlinuz-$(uname -r) root=/dev/vda1" > /cmdline-fake
(initramfs) mount -o bind /cmdline-fake /proc/cmdline
(initramfs) sh /scripts/functions
(initramfs) mount -o remount,nosuid,nodev,noexec /run
(initramfs) /init
(initramfs) chroot /root

root@(none) mount -o bind,nosuid,noexec,nodev /home /home
root@(none) mount -o bind,nosuid,noexec,nodev /tmp /tmp
root@(none) mkdir /dev/shm
root@(none) mount -t tmpfs -o nosuid,noexec,nodev /dev/shm /dev/shm
root@(none) exit

(initramfs) exit

Patrick · October 16, 2020, 7:10pm

Just coming to mind now. /etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs is using a proper initramfs header.

PREREQ=""
prereqs()
{
        echo "$PREREQ"
}
case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

remount-secure did not do that yet. Likely that is also a source of issues.

madaidan · October 16, 2020, 7:27pm

I tried that too and it didn’t seem to change anything.

Patrick · October 22, 2023, 11:05am

I’ve pushed various improvements to security-misc/usr/bin/remount-secure at master · Kicksecure/security-misc · GitHub but as mentioned in

either the systemd unit needs to be fixed (which nobody knows how to do) or it has to be run from initramfs. When this was discussed earlier, we were based on initramfs-tools. Noways on dracut. It might be simpler to implement this using dracut.

Patrick · October 22, 2023, 4:56pm

A lot activity here:

github.com/Kicksecure/security-misc

Secure Remounting

opened 06:06PM - 20 Oct 23 UTC

monsieuremre

Is there any particular reason to have a systemd service remount partitions rath…er than editing /etc/fstab accordingly? This seems cause extra complexity without any benefit that I could see of. As a reference, the recommended options from the lynis documentation can be used. I have tested this and no application seems to break that a debian user would normally install, let alone any whonix default packages. # --------------------------------------------------------- # Mount point nodev noexec nosuid # /boot v v v # /dev v v # /dev/shm v v v # /home v v # /run v v # /tmp v v v # /var v v # /var/log v v v # /var/log/audit v v v # /var/tmp v v v # --------------------------------------------------------- This can be achieved with a simple bind for those without literal partitions on disk. And for the literal partitions, a basic sed operation can be used on fstab. The old fstab can be backed up to be restored upon package removal. So what would be the reason to use a service here? If this is not necessary, I can create a pull request for modifying the fstab. If there is a reason that I do not know of, the same recommended options can be adapted by the service, I assume.

Patrick · October 22, 2023, 8:26pm

github.com/Kicksecure/security-misc

remounting `/usr` as read-only for better security

opened 07:53PM - 22 Oct 23 UTC

monsieuremre

I have tested on a debian VM the following: *First, mount /usr as read only …```mount -o ro --bind /usr /usr``` Try creating or modify any files under /usr ```touch /usr/bin/bad-binary``` ```touch: cannot touch '/usr/bin/bad-binary': Read-only file system``` So we know it is read only. Then create the file with the following content: ``` echo " Dpkg::Pre-Invoke {"mount -o remount,nodev,rw /usr";}; Dpkg::Post-Invoke {"mount -o remount,nodev,ro /usr";}; " >> /etc/apt/apt.conf.d/security-usr ``` Try ```apt update``` and ```apt upgrade``` or anything apt. It works. Post and pre invoke make sure /usr is remounted everytime before apt is invoked, no matter for what purpose. This hardens against any modification in binaries or libraries in the system. For this a remount is necessary. Only root can do this.

Patrick · October 22, 2023, 11:14pm

github.com/systemd/systemd

sd-remount / sd-umount - Failed to remount '/var/log' read-only: Invalid argument

opened 11:13PM - 22 Oct 23 UTC

adrelanos

bug 🐛

### systemd version the issue has been seen with 252.17-1~deb12u1 ### Used dis…tribution Debian 12 bookworm ### Linux kernel version used _No response_ ### CPU architectures issue was seen on i686 ### Component _No response_ ### Expected behaviour you didn't see No such errors. ### Unexpected behaviour you saw Some failed unmounts during shutdown. ``` [FAILED] Failed unmounting var-log.mount. [FAILED] Failed unmounting var-tmp.mount. [FAILED] Failed unmounting var.mount. [ 1923.023754] (sd-remount)[43306]: Failed to remount '/var/log' read-only: Invalid argument [ 1923.026285] (sd-umount)[43307]: Failed to unmount /var/log: Invalid argument [ 1923.029123] (sd-remount)[43308]: Failed to remount '/var/tmp' read-only: Invalid argument [ 1923.031693] (sd-umount)[43309]: Failed to unmount /var/tmp: Invalid argument ``` ### Steps to reproduce the problem In short: Command `mount --options nosuid,nodev,noexec --bind /sysroot/var/log /sysroot/var/log` run at dracut boot hook `cleanup` confuses systemd sd-umount. Details: 1. install dracut 3. [Remount Script](https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure) 4. [dracut module](https://github.com/Kicksecure/security-misc/tree/master/usr/lib/dracut/modules.d/20remount-secure) 5. `sudo dracut -f` 6. `echo GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" | sudo tee /etc/default/grub.d/50_user.cfg` (Or install [https://github.com/Kicksecure/security-misc `security-misc`].) ### Additional program output to the terminal or log subsystem illustrating the issue ```sh This is what is being done at boot time: Oct 22 21:43:11 localhost systemd[1]: dracut-mount.service - dracut mount hook was skipped because no trigger condition checks were met. Oct 22 21:43:11 localhost systemd[1]: Starting dracut-pre-pivot.service - dracut pre-pivot and cleanup hook... Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /usr/bin/remount-secure: INFO: START Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: dracut detected: yes - NEWROOT: '/sysroot' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: level 3/3 (high) Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: using nosuid,nodev: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: using noexec for all: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: 'findmnt --list' output at the START. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: TARGET SOURCE FSTYPE OPTIONS Oct 22 21:43:11 localhost dracut-pre-pivot[409]: / rootfs rootfs rw Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /proc proc proc rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys sysfs sysfs rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /dev devtmpfs devtmpfs rw,nosuid,size=4096k,nr_inodes=245119,mode=755,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /dev/shm tmpfs tmpfs rw,nosuid,nodev,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run tmpfs tmpfs rw,nosuid,nodev,size=401864k,nr_inodes=819200,mode=755,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/fs/cgroup cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/fs/bpf bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/credentials/systemd-tmpfiles-setup-dev.service ramfs ramfs ro,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/credentials/systemd-tmpfiles-setup.service ramfs ramfs ro,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/credentials/systemd-sysctl.service ramfs ramfs ro,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot /dev/sda1 ext4 ro,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/boot' old_mount_options: '' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/boot' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/boot' not yet mounted, therefore using mount bind. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options nosuid,nodev,noexec --bind /sysroot/boot /sysroot/boot Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/boot' new_mount_options: ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/run' old_mount_options: 'rw,nosuid,nodev,size=401864k,nr_inodes=819200,mode=755,inode64' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/run' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/run' already mounted, therefore using remount. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options remount,nosuid,nodev,noexec /run Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/run' new_mount_options: rw,nosuid,nodev,noexec,size=401864k,nr_inodes=819200,mode=755,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev' old_mount_options: 'rw,nosuid,size=4096k,nr_inodes=245119,mode=755,inode64' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev' already mounted, therefore using remount. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options remount,nosuid,noexec /dev Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev' new_mount_options: rw,nosuid,noexec,size=4096k,nr_inodes=245119,mode=755,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev/shm' old_mount_options: 'rw,nosuid,nodev,inode64' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev/shm' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev/shm' already mounted, therefore using remount. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options remount,nosuid,nodev,noexec /dev/shm Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/dev/shm' new_mount_options: rw,nosuid,nodev,noexec,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/tmp' old_mount_options: '' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/tmp' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/tmp' not yet mounted, therefore using mount bind. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options nosuid,nodev,noexec --bind /sysroot/tmp /sysroot/tmp Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/tmp' new_mount_options: ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var' old_mount_options: '' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var' not yet mounted, therefore using mount bind. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options nosuid,nodev --bind /sysroot/var /sysroot/var Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var' new_mount_options: ro,nosuid,nodev,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/tmp' old_mount_options: '' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/tmp' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/tmp' not yet mounted, therefore using mount bind. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options nosuid,nodev,noexec --bind /sysroot/var/tmp /sysroot/var/tmp Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/tmp' new_mount_options: ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: ro,nosuid,nodev,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/log' old_mount_options: '' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/log' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/log' not yet mounted, therefore using mount bind. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options nosuid,nodev,noexec --bind /sysroot/var/log /sysroot/var/log Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/var/log' new_mount_options: ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: ro,nosuid,nodev,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/home' old_mount_options: '' Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/home' folder exists: yes Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/home' not yet mounted, therefore using mount bind. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: Executing: mount --options nosuid,nodev,noexec --bind /sysroot/home /sysroot/home Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: '/sysroot/home' new_mount_options: ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: 'findmnt --list' output at the END. Oct 22 21:43:11 localhost dracut-pre-pivot[409]: TARGET SOURCE FSTYPE OPTIONS Oct 22 21:43:11 localhost dracut-pre-pivot[409]: / rootfs rootfs rw Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /proc proc proc rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys sysfs sysfs rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /dev devtmpfs devtmpfs rw,nosuid,noexec,size=4096k,nr_inodes=245119,mode=755,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /dev/shm tmpfs tmpfs rw,nosuid,nodev,noexec,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run tmpfs tmpfs rw,nosuid,nodev,noexec,size=401864k,nr_inodes=819200,mode=755,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,inode64 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/fs/cgroup cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sys/fs/bpf bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/credentials/systemd-tmpfiles-setup-dev.service ramfs ramfs ro,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/credentials/systemd-tmpfiles-setup.service ramfs ramfs ro,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /run/credentials/systemd-sysctl.service ramfs ramfs ro,nosuid,nodev,noexec,relatime,mode=700 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot /dev/sda1 ext4 ro,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/boot /dev/sda1[/boot] ext4 ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/tmp /dev/sda1[/tmp] ext4 ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/var /dev/sda1[/var] ext4 ro,nosuid,nodev,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/var/tmp /dev/sda1[/var/tmp] ext4 ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/var/tmp /dev/sda1[/var/tmp] ext4 ro,nosuid,nodev,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/var/log /dev/sda1[/var/log] ext4 ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/var/log /dev/sda1[/var/log] ext4 ro,nosuid,nodev,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /sysroot/home /dev/sda1[/home] ext4 ro,nosuid,nodev,noexec,relatime Oct 22 21:43:11 localhost dracut-pre-pivot[409]: INFO: exit_code: 0 Oct 22 21:43:11 localhost dracut-pre-pivot[409]: /usr/bin/remount-secure: INFO: END Oct 22 21:43:11 localhost dracut-pre-pivot[396]: /bin/dracut-pre-pivot: INFO: 'remount-secure 3' success. Oct 22 21:43:11 localhost systemd[1]: Finished dracut-pre-pivot.service - dracut pre-pivot and cleanup hook. ``` Longer log during shutdown: ``` [ OK ] Stopped target local-fs.target - Local File Systems. Unmounting boot.mount - /boot... Unmounting home.mount... Unmounting run-credentials…dentials/systemd-sysctl.service... Unmounting run-credentials…ntials/systemd-sysusers.service... Unmounting run-credentials…temd-tmpfiles-setup-dev.service... Unmounting run-msgcollector.mount - /run/msgcollector... Unmounting tmp.mount... Unmounting var-log.mount... Unmounting var-tmp.mount... [ OK ] Stopped systemd-modules-lo…service - Load Kernel Modules. [ 1922.556991] audit: type=1131 audit(1698009222.706:410): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ OK ] Unmounted boot.mount - /boot. [ OK ] Unmounted home.mount. [ OK ] Unmounted run-credentials-…redentials/systemd-sysctl.service. [ OK ] Unmounted run-credentials-…dentials/systemd-sysusers.service. [ OK ] Unmounted run-credentials-…ystemd-tmpfiles-setup-dev.service. [ OK ] Unmounted run-msgcollector.mount - /run/msgcollector. [ OK ] Unmounted tmp.mount. [FAILED] Failed unmounting var-log.mount. [ OK ] Stopped target swap.target - Swaps. [FAILED] Failed unmounting var-tmp.mount. Unmounting var.mount... [FAILED] Failed unmounting var.mount. [ OK ] Stopped target local-fs-pr…reparation for Local File Systems. [ OK ] Reached target umount.target - Unmount All Filesystems. [ OK ] Stopped systemd-tmpfiles-s…reate Static Device Nodes in /dev. [ 1922.670633] audit: type=1131 audit(1698009222.818:411): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-tmpfiles-setup-dev comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ OK ] Stopped systemd-sysusers.service - Create System Users. [ 1922.675135] audit: type=1131 audit(1698009222.822:412): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-sysusers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ OK ] Stopped systemd-remount-fs…ount Root and Kernel File Systems. [ 1922.678313] audit: type=1131 audit(1698009222.826:413): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-remount-fs comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ OK ] Stopped systemd-fsck-root.… File System Check on Root Device. [ OK ] Reached target shutdown.target - System Shutdown. [ OK ] Reached target final.target - Late Shutdown Services. [ OK ] Finished systemd-poweroff.service - System Power Off. [ OK ] Reached target poweroff.target - System Power Off. [ 1922.945104] systemd-shutdown[1]: Syncing filesystems and block devices. [ 1922.971729] systemd-shutdown[1]: Sending SIGTERM to remaining processes... [ 1922.975104] systemd-journald[518]: Received SIGTERM from PID 1 (systemd-shutdow). [ 1922.987141] systemd-shutdown[1]: Sending SIGKILL to remaining processes... [ 1922.989948] systemd-shutdown[1]: Unmounting file systems. [ 1922.991355] (sd-remount)[43304]: Remounting '/var/log' read-only with options 'errors=remount-ro'. [ 1923.005198] EXT4-fs (sda1): re-mounted. Quota mode: none. [ 1923.021128] (sd-umount)[43305]: Unmounting '/var/log'. [ 1923.022672] (sd-remount)[43306]: Remounting '/var/log' read-only with options 'errors=remount-ro'. [ 1923.023754] (sd-remount)[43306]: Failed to remount '/var/log' read-only: Invalid argument [ 1923.025414] (sd-umount)[43307]: Unmounting '/var/log'. [ 1923.026285] (sd-umount)[43307]: Failed to unmount /var/log: Invalid argument [ 1923.027942] (sd-remount)[43308]: Remounting '/var/tmp' read-only with options 'errors=remount-ro'. [ 1923.029123] (sd-remount)[43308]: Failed to remount '/var/tmp' read-only: Invalid argument [ 1923.030880] (sd-umount)[43309]: Unmounting '/var/tmp'. [ 1923.031693] (sd-umount)[43309]: Failed to unmount /var/tmp: Invalid argument [ 1923.033427] (sd-remount)[43310]: Remounting '/var' read-only with options 'errors=remount-ro'. [ 1923.034464] EXT4-fs (sda1): re-mounted. Quota mode: none. [ 1923.035832] (sd-umount)[43311]: Unmounting '/var'. [ 1923.037161] (sd-remount)[43312]: Remounting '/' read-only with options 'errors=remount-ro'. [ 1923.038104] EXT4-fs (sda1): re-mounted. Quota mode: none. [ 1923.039631] (sd-umount)[43313]: Unmounting '/var/log'. [ 1923.041043] (sd-umount)[43314]: Unmounting '/var/tmp'. [ 1923.042124] systemd-shutdown[1]: All filesystems unmounted. [ 1923.042963] systemd-shutdown[1]: Deactivating swaps. [ 1923.043801] systemd-shutdown[1]: All swaps deactivated. [ 1923.044617] systemd-shutdown[1]: Detaching loop devices. [ 1923.045952] systemd-shutdown[1]: All loop devices detached. [ 1923.046654] systemd-shutdown[1]: Stopping MD devices. [ 1923.047414] systemd-shutdown[1]: All MD devices stopped. [ 1923.048119] systemd-shutdown[1]: Detaching DM devices. [ 1923.049798] systemd-shutdown[1]: All DM devices detached. [ 1923.050531] systemd-shutdown[1]: All filesystems, swaps, loop devices, MD devices and DM devices detached. [ 1923.053849] systemd-shutdown[1]: Syncing filesystems and block devices. [ 1923.054574] systemd-shutdown[1]: Powering off. [ 1923.055475] sd 0:0:0:0: [sda] Synchronizing SCSI cache [ 1923.056420] sd 0:0:0:0: [sda] Stopping disk [ 1923.068889] ACPI: PM: Preparing to enter system sleep state S5 [ 1923.069942] reboot: Power down ``` ```

Patrick · October 23, 2023, 11:09am

related, follow-up tasks:

Patrick · October 23, 2023, 11:10am

Patrick · October 24, 2023, 9:29am

Patrick · October 24, 2023, 10:50am

Patrick · November 5, 2023, 12:36am

github.com/Kicksecure/security-misc

Better Secure Remount

Kicksecure:master ← monsieuremre:better-secure-remount

opened 01:37PM - 04 Nov 23 UTC

monsieuremre

+87 -0

Ding dong. Known problems with our current remount implementation are: * There …is a hard dependency on dracut, without it system breaks * System startup is quite noticeably slower * There are errors when unmounting on shutdown I come with a brand new approach. No dracut, no hook. No slow startup, just as fast as normal boot. No errrors in shutdown. So it is all the good stuff without the issues. We get all the hardneing benefits, and even more for some partitions. A systemd oneshot service executes this script, that does the remounting. ```Well, how do we know what to remount and what to bind? These can change radically depending on the specific system.``` The answer is, we generate a very solid config file for that very specific system on package install. We use this config file as our fstab to the remounting. The good old 'normal' fstab is still there and functions just a fine, does its thing on startup. We do our thing right after the normal fstab. And since it is a fstab file that we do the remounting with, tho a custom one, unmounting goes just in order perfectly. Please do test. If you have any problems, let's see them. But as I see it, this is the same protection and a better experience. Ready to merge, I believe, because I tested it and adjusted the startup order so that all services start a ok, and real fast.

Patrick · November 9, 2023, 9:12pm

Patrick · November 19, 2023, 4:29am

github.com/Kicksecure/security-misc

Secure Remount Without Remounting At All For The Most Part - Secure Mount

Kicksecure:master ← monsieuremre:patch-1

opened 04:37PM - 17 Nov 23 UTC

monsieuremre

+126 -0

This here. We don't own fstab, we don't modify fstab, we don't modify any files …at all. We just add our own little config under respective directories. For var for examle under ```var.mount.d```. This targets the real partitions on disk. If there is literal partition for /home, when mounting it systemd gets everything from fstab, our options come on top of everrything afterwards. If there are no entries in fstab, so no partitions on disk, these overrides simply don't serve any purpose and are never read, so they do no harm. This makes sure we directly mount all partitions in fstab with the secure options in the first place. So no remounting occurs at all. For directories that don't have their own partitions, we bind them. Still, no remounting. We bind these and we are done. * No remounting * Everything mounted with hardened options the first time * Directories are bounded when necessary So overall very good. The only caveat is, we can't apply our extra options for ```/run```, ```/dev``` and ```/dev/shm```. These can't be manipulated with mount unit overrides, they need to be addressed in fstab. ``` Cannot create mount unit for API file system``` For these we have to find another solution, which is unfortunately going to be remounting probably. But for now, let's get everything else on board first. This solution covers everything and jumps no hoops. Everything is hardened from the beginning. Please test. Also the old implementation has to be deleted before merging this.

Patrick · December 12, 2023, 4:59pm

why remount-secure even needed? fix insecure mount options at the root, not here · Issue #157 · Kicksecure/security-misc · GitHub

github.com

Kicksecure/security-misc/blob/master/usr/share/doc/security-misc/fstab-vm

# <file system>                                             <mount point>     <type>    <options>                  <dump> <pass>

/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6       /                auto      defaults,errors=remount-ro  0      1

proc                                                         /proc            proc      defaults                    0      0

/dev                                                         /dev             none      bind                        0      0
/dev                                                         /dev             none      remount,nosuid,noexec       0      0

## noexec optional
/dev/shm                                                     /dev/shm         tmpfs     nosuid,nodev,noexec         0      0

/dev/cdrom                                                   /mnt/cdrom0      iso9660   ro,user,noauto              0      0

/boot                                                        /boot            none      bind                        0      0
/boot                                                        /boot            none      remount,nosuid,nodev,noexec 0      0

/lib                                                         /lib             none      bind                        0      0
/lib                                                         /lib             none      remount,nosuid,nodev        0      0

This file has been truncated. show original