add filesystem hardening (mounting external filesystems read-only, nosuid, and so on)

diff --git a/Makefile b/Makefile
index 531c14f7d8199de0542ad043b20f191aa0753b4e..5ee18ce65444ece4d373618eaef784a1071fed75 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,8 @@ TARGET := /usr/local
 SCHROOT := /etc/schroot
 
 install:
 SCHROOT := /etc/schroot
 
 install:

-       install -o root -g root schsh makeschsh schsh-rrsync $(TARGET)/bin/
-       install -o root -g root -d $(SCHROOT)/schsh/
+       install -o root -g root -m 755 schsh makeschsh schsh-rrsync $(TARGET)/bin/
+       install -o root -g root -m 755 -d $(SCHROOT)/schsh/

        install -o root -g root -m 644 schroot/schsh/* $(SCHROOT)/schsh/
        install -o root -g root -m 644 schroot/schsh/* $(SCHROOT)/schsh/

-       install -o root -g root -d /var/lib/schsh/
+       install -o root -g root -m 755 schroot/setup.d/* $(SCHROOT)/setup.d/
+       install -o root -g root -m 755 -d /var/lib/schsh/

diff --git a/schroot/schsh/schsh-hardening b/schroot/schsh/schsh-hardening
new file mode 100644 (file)
index 0000000..077d4cd
--- /dev/null
+++ b/schroot/schsh/schsh-hardening
@@ -0,0 +1,12 @@
+# Describes how to re-mount some filesystems, if they happen to exist
+# Format: Mount-Point <TAB> remount-options
+/                              bind,ro,nosuid,noexec
+/bin                   bind,ro,nosuid,nodev
+/lib                   bind,ro,nosuid,nodev
+/lib64                 bind,ro,nosuid,nodev
+/usr/bin               bind,ro,nosuid,nodev
+/usr/lib               bind,ro,nosuid,nodev
+/usr/lib64             bind,ro,nosuid,nodev
+/usr/share             bind,ro,nosuid,nodev
+/usr/local/bin         bind,ro,nosuid,nodev
+/data                  bind,rw,nosuid,nodev,noexec

diff --git a/schroot/setup.d/80schsh-hardening b/schroot/setup.d/80schsh-hardening
new file mode 100755 (executable)
index 0000000..47965e2
--- /dev/null
+++ b/schroot/setup.d/80schsh-hardening
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+. "$SETUP_DATA_DIR/common-data"
+. "$SETUP_DATA_DIR/common-functions"
+. "$SETUP_DATA_DIR/common-config"
+
+SETUP_HARDENING="$CHROOT_PROFILE_DIR/schsh-hardening"
+
+# Mount filesystems from fstab for all chroot types
+if [ "$STAGE" = "setup-start" ] || [ "$STAGE" = "setup-recover" ]; then
+       if [ "$CHROOT_PROFILE" = "schsh" ]; then
+               if [ -f "$SETUP_HARDENING" ]; then
+                       while read REMOUNT; do
+                               if echo "$REMOUNT" | egrep -q '^(#|$)' ; then
+                                       continue
+                               fi
+                               REMOUNT=$(echo "$REMOUNT" | tr ' ' '\t' | tr -s '\t') # replace spaces by tabs, and squeeze tabs together
+                               MOUNTPOINT=${CHROOT_PATH}/$(echo "$REMOUNT" | cut -f 1)
+                               MOUNTPOINT=$(readlink -m "$MOUNTPOINT") # canonicalize the path
+                               MOUNTOPT=$(echo "$REMOUNT" | cut -f 2)
+                               if cat /proc/mounts | grep " $MOUNTPOINT " > /dev/null; then # somehow "mountpoint" does not detect bind points...
+                                       info "Re-mounting $MOUNTPOINT with $MOUNTOPT"
+                                       mount -o remount,"$MOUNTOPT" "$MOUNTPOINT"
+                               else
+                                       info "No such mountpoint: $MOUNTPOINT"
+                               fi
+                               
+                       done < "$SETUP_HARDENING"
+               else
+                       fatal "schsh-hardening file '$SETUP_HARDENING' does not exist"
+               fi
+       else
+               info "Not a schsh chroot, not doing anything"
+       fi
+fi