[Whonix-devel] systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev

• Previous message (by thread): [Whonix-devel] #31090 [Webpages]: stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

a script to remount /home /tmp /dev/shm /run (configurable) with
nosuid,nodev (+noexec configurable) has been created by me. The purpose
of remounting is increasing the security of the system. The script shall
run as early as reasonably possible during boot.

The systemd unit file [1] and script [2] attached below in a simplified
version or links to actual version. [3] [4] This is planned to be
enabled by default in a Debian derivative Linux distribution.

The issue with the systemd unit file is that it runs the script while
other scripts are run and it seems like "mount -o nosuid,nodev --bind
/tmp /tmp" is non-atomic. By that I mean, other scripts (run by other
systemd unit files) that require /tmp are experiencing a split second or
so where /tmp is non-writeable and therefore fail. Various race
condition are possible and one was already experienced.

How to solve that?

Not using '/etc/fstab.d' because fstab '.d' folder does not exist yet.
[5] Not using '/etc/fstab' because that is non-ideal for a derivative
Debian Linux distribution. [6]

a) The remount-secure.service unit file should run alone. Non-parallel.
Until remount-secure.service is done, no other systemd unit files should
be run. Is that possible with systemd?

b) The remount-secure.service should add a reverse dependency to most
other systemd unit files which is saying "After=remount-secure.service".
Is that possible?

c) Could the systemd unit file express "do this right after systemd is
done with the usual file system mounting but still? Which service or
target would that be? 'Before=local-fs.target' and
'After=systemd-remount-fs.service'?

d) Or remount-secure.service should not exist and instead be a drop-in
configuration file snippet
'/lib/systemd/system/systemd-remount-fs.service.d/30_remount-secure.conf'
using 'ExecStartPost=/usr/lib/security-misc/remount-secure'?

e) Any other solution?

Kind regards,
Patrick

[1]
[Unit]
Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default)
and noexec (opt-in)
Documentation=https://github.com/Whonix/security-misc

DefaultDependencies=no
Before=sysinit.target
Requires=local-fs.target
After=local-fs.target

After=qubes-sysinit.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/security-misc/remount-secure

[Install]
WantedBy=sysinit.target

[2]
mount -o remount,nosuid,nodev /home
mount -o remount,nosuid,nodev /run
mount -o remount,nosuid,nodev /dev/shm
mount -o nosuid,nodev --bind /tmp /tmp

[3]
https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service
[4]
https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure

[5] https://github.com/systemd/systemd/issues/12506

[6] Confusing question for users who upgrade or make changes to the
file. (dpkg interactive conflict resolution dialog)

• Previous message (by thread): [Whonix-devel] #31090 [Webpages]: stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]