From: Ralf Jung Date: Sat, 22 Feb 2014 11:42:21 +0000 (+0100) Subject: add filesystem hardening (mounting external filesystems read-only, nosuid, and so on) X-Git-Url: https://git.ralfj.de/schsh.git/commitdiff_plain/c8435c302e51661e0bcf1a1e27da67f0f2eddf32?ds=inline add filesystem hardening (mounting external filesystems read-only, nosuid, and so on) --- diff --git a/Makefile b/Makefile index 531c14f..5ee18ce 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,8 @@ TARGET := /usr/local SCHROOT := /etc/schroot install: - install -o root -g root schsh makeschsh schsh-rrsync $(TARGET)/bin/ - install -o root -g root -d $(SCHROOT)/schsh/ + install -o root -g root -m 755 schsh makeschsh schsh-rrsync $(TARGET)/bin/ + install -o root -g root -m 755 -d $(SCHROOT)/schsh/ install -o root -g root -m 644 schroot/schsh/* $(SCHROOT)/schsh/ - install -o root -g root -d /var/lib/schsh/ + install -o root -g root -m 755 schroot/setup.d/* $(SCHROOT)/setup.d/ + install -o root -g root -m 755 -d /var/lib/schsh/ diff --git a/schroot/schsh/schsh-hardening b/schroot/schsh/schsh-hardening new file mode 100644 index 0000000..077d4cd --- /dev/null +++ b/schroot/schsh/schsh-hardening @@ -0,0 +1,12 @@ +# Describes how to re-mount some filesystems, if they happen to exist +# Format: Mount-Point remount-options +/ bind,ro,nosuid,noexec +/bin bind,ro,nosuid,nodev +/lib bind,ro,nosuid,nodev +/lib64 bind,ro,nosuid,nodev +/usr/bin bind,ro,nosuid,nodev +/usr/lib bind,ro,nosuid,nodev +/usr/lib64 bind,ro,nosuid,nodev +/usr/share bind,ro,nosuid,nodev +/usr/local/bin bind,ro,nosuid,nodev +/data bind,rw,nosuid,nodev,noexec diff --git a/schroot/setup.d/80schsh-hardening b/schroot/setup.d/80schsh-hardening new file mode 100755 index 0000000..47965e2 --- /dev/null +++ b/schroot/setup.d/80schsh-hardening @@ -0,0 +1,35 @@ +#!/bin/sh + +. "$SETUP_DATA_DIR/common-data" +. "$SETUP_DATA_DIR/common-functions" +. "$SETUP_DATA_DIR/common-config" + +SETUP_HARDENING="$CHROOT_PROFILE_DIR/schsh-hardening" + +# Mount filesystems from fstab for all chroot types +if [ "$STAGE" = "setup-start" ] || [ "$STAGE" = "setup-recover" ]; then + if [ "$CHROOT_PROFILE" = "schsh" ]; then + if [ -f "$SETUP_HARDENING" ]; then + while read REMOUNT; do + if echo "$REMOUNT" | egrep -q '^(#|$)' ; then + continue + fi + REMOUNT=$(echo "$REMOUNT" | tr ' ' '\t' | tr -s '\t') # replace spaces by tabs, and squeeze tabs together + MOUNTPOINT=${CHROOT_PATH}/$(echo "$REMOUNT" | cut -f 1) + MOUNTPOINT=$(readlink -m "$MOUNTPOINT") # canonicalize the path + MOUNTOPT=$(echo "$REMOUNT" | cut -f 2) + if cat /proc/mounts | grep " $MOUNTPOINT " > /dev/null; then # somehow "mountpoint" does not detect bind points... + info "Re-mounting $MOUNTPOINT with $MOUNTOPT" + mount -o remount,"$MOUNTOPT" "$MOUNTPOINT" + else + info "No such mountpoint: $MOUNTPOINT" + fi + + done < "$SETUP_HARDENING" + else + fatal "schsh-hardening file '$SETUP_HARDENING' does not exist" + fi + else + info "Not a schsh chroot, not doing anything" + fi +fi