(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?

Patrick · January 4, 2024, 12:59am

There are at least 6 different approaches to mount options hardening, 3 different types of mount points (API, partition, folder) and various different environment. Overview created:

Patrick · February 22, 2024, 4:09pm

github.com/Kicksecure/security-misc

Secure Bind Mount & Protect Hardware

Kicksecure:master ← monsieuremre:patch-4

opened 09:09PM - 20 Feb 24 UTC

monsieuremre

+39 -0

Hello. This pull request resolves two currently open issues. One is protecting h…ardware by limiting access to /proc and /sys. Well good news. I present you the best way possible. Mounting proc with subset=pid ensure that only the pid subset under proc is visible, everything else is invisible. This is also the case for root. No one can see anything. ```/proc/dma```, ```/proc/iomem```, ```/proc/ioports```, ```/proc/meminfo```, ```/proc/kallsyms```, ```/proc/kcore``` and literally tons of other stuff, everything protected even from root. Just ```ls /proc``` to see for yourself what gets hidden. When it comes to /sys, [starting based on this comment](https://github.com/Kicksecure/security-misc/issues/172#issuecomment-1951419805), I found the sources of breakages. The comment is true, but not complete, because there are also other subsets that break too, apart from just fs. Those are enabled, and everything else is disabled. Tested. And bind mounting. You said not having bind mounts is a big deal. You said binds are important, they are our lives. Well. You say no more. I give you binds, a lot of them, and them only. At this point, we might as well just bind everything, disregarding if it has a proper real partition. Because even if it does have a partition, bind mounting to itself does no harm literally. The overhead seems to be really really minimal and unnoticable. So this is the current suggestion. Test for yourself and report please.

Patrick · February 22, 2024, 4:20pm

github.com/Kicksecure/security-misc

test remount-secure script and systemd unit

opened 04:20PM - 22 Feb 24 UTC

adrelanos

Developer discussion. Not for users since not the in the testers repository yet.… Based suggestions in https://github.com/Kicksecure/security-misc/pull/202 thanks to @monsieuremre, recently I have improved. * systemd unit file: https://github.com/Kicksecure/security-misc/blob/master/usr/lib/systemd/system/remount-secure.service * remount-secure script: https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure Enabling it should be as simple as: sudo systemctl enable remount-secure.service Risks: Breaking the boot. Unbreaking the boot? * A) Booting into recovery mode and disalbing the systemd unit or, * B) kernel parameter `remountsecure=0` might work.