Open adrelanos opened 9 months ago
Once again, I want to give my opinion here. I am not a big fan of bind mounting things. My suggested implementation was, how would it be done if we absolutely wanted bind units. It goes without saying that remounting anything is completely unnecessary and does nothing but add extra overhead and complexity. These can be hardened with drop in files, as I suggested previously. Api file systems can be hardened from the kernel command line, again, a drop-in file. Bind mounting stuff is where we can't use drop in files. Actually, if we wanted, we could. But I already am not a fan of bind mounts. We can create bind units under /usr/lib/systemd, but really, should we be the one to have the var.mount unit? Like someone else might want to own that file, I don't know. My suggestion is, let's do drop in's boot parameters. I don't support bind mounts. But if it is desired, it can be done with either
For API file systems and real partitions, a service or a hook should not be used. This is not only unnecessary, but introduces overhead.
Seems off-topic since it does not contribute towards the testing of remount-secure script / systemd unit file. Instead replied to it here: https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1976364746
Actually never mind. Systemd units for everything just works fine. Will create a pull when I find the time. No bash scripting is used, just systemd units that are triggered based on conditions. Actually I am not sure why I haven't thought of this before. This officially covers everything. It is really similar to previous suggestions too, just fills in the missing gaps.
Developer discussion. Not for users since not the in the testers repository yet.
Based suggestions in https://github.com/Kicksecure/security-misc/pull/202 thanks to @monsieuremre, recently I have improved.
Enabling it should be as simple as:
Risks: Breaking the boot.
Unbreaking the boot?
remountsecure=0
might work.