add filesystem hardening (mounting external filesystems read-only, nosuid, and so on)

[schsh.git] / schroot / schsh / schsh-hardening

diff --git a/schroot/schsh/schsh-hardening b/schroot/schsh/schsh-hardening
new file mode 100644 (file)
index 0000000..077d4cd
--- /dev/null
+++ b/schroot/schsh/schsh-hardening
@@ -0,0 +1,12 @@
+# Describes how to re-mount some filesystems, if they happen to exist
+# Format: Mount-Point <TAB> remount-options
+/                              bind,ro,nosuid,noexec
+/bin                   bind,ro,nosuid,nodev
+/lib                   bind,ro,nosuid,nodev
+/lib64                 bind,ro,nosuid,nodev
+/usr/bin               bind,ro,nosuid,nodev
+/usr/lib               bind,ro,nosuid,nodev
+/usr/lib64             bind,ro,nosuid,nodev
+/usr/share             bind,ro,nosuid,nodev
+/usr/local/bin         bind,ro,nosuid,nodev
+/data                  bind,rw,nosuid,nodev,noexec