security-misc icon indicating copy to clipboard operation
security-misc copied to clipboard

Published 20 hours ago verified publisher icon Kicksecure

test remount-secure script and systemd unit

Open adrelanos opened this issue 5 months ago • 3 comments

Developer discussion. Not for users since not the in the testers repository yet.

Based suggestions in https://github.com/Kicksecure/security-misc/pull/202 thanks to @monsieuremre, recently I have improved.

  • systemd unit file: https://github.com/Kicksecure/security-misc/blob/master/usr/lib/systemd/system/remount-secure.service
  • remount-secure script: https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure

Enabling it should be as simple as:

sudo systemctl enable remount-secure.service

Risks: Breaking the boot.

Unbreaking the boot?

  • A) Booting into recovery mode and disalbing the systemd unit or,
  • B) kernel parameter remountsecure=0

might work.

adrelanos avatar Feb 22 '24 16:02 adrelanos

Once again, I want to give my opinion here. I am not a big fan of bind mounting things. My suggested implementation was, how would it be done if we absolutely wanted bind units. It goes without saying that remounting anything is completely unnecessary and does nothing but add extra overhead and complexity. These can be hardened with drop in files, as I suggested previously. Api file systems can be hardened from the kernel command line, again, a drop-in file. Bind mounting stuff is where we can't use drop in files. Actually, if we wanted, we could. But I already am not a fan of bind mounts. We can create bind units under /usr/lib/systemd, but really, should we be the one to have the var.mount unit? Like someone else might want to own that file, I don't know. My suggestion is, let's do drop in's boot parameters. I don't support bind mounts. But if it is desired, it can be done with either

  • a service such as this (messy)
  • boot parameter, again, fstab lines (preferred)
  • systemd units under /usr/lib (less messy, but still is messy)

For API file systems and real partitions, a service or a hook should not be used. This is not only unnecessary, but introduces overhead.

monsieuremre avatar Feb 26 '24 20:02 monsieuremre

Seems off-topic since it does not contribute towards the testing of remount-secure script / systemd unit file. Instead replied to it here: https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1976364746

adrelanos avatar Mar 04 '24 11:03 adrelanos

Actually never mind. Systemd units for everything just works fine. Will create a pull when I find the time. No bash scripting is used, just systemd units that are triggered based on conditions. Actually I am not sure why I haven't thought of this before. This officially covers everything. It is really similar to previous suggestions too, just fills in the missing gaps.

monsieuremre avatar Mar 18 '24 16:03 monsieuremre