Re: Checks for removable partitions mount options

Wed, 08 Apr 2020 23:25:25 -0700 

The idea of the rule is to verify that all filesystems that are (or could be)
mounted by means of regular user actions have (or would have) noexec, nosuid
and nodev options.

The options are not really important because the rules are templated and
template boils down to checking for a mount option for a particular mounted
partition when it is mounted; and then checking for some mount option for
a partition that might be mounted at an arbitray point of time.

The current state is pretty obvious. The rule has to go through
/proc/self/mounts
and verify that all /dev/* entries, that are not present in /etc/fstab
(or present, but have noauto option there), are mounted with the mount option
in question. Everything else is either a special filesystem or a non-removable
device, which is expected to be present at the system boot time and would be
waited for.

The configuration of the possible mount options for various filesystem that
might be added by the user is a lot more complicated.

Let's get into various options for the user to add another filesystem (nothing
here will require root access):

1) USB Mass Storage

NAME       MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sdc          8:32   0 931.5G  0 disk
└─sdc1       8:33   0 931.5G  0 part  /run/media/ekolesni/WD
/dev/sdc1 on /run/media/ekolesni/WD type ext4
(rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2)

sdd          8:48   1  59.8G  0 disk
└─sdd1       8:49   1  59.8G  0 part  /run/media/ekolesni/Samsung USB
/dev/sdd1 on /run/media/ekolesni/Samsung USB type vfat
(rw,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2)

USB Mass Stoarge devices are combined removable media and devices.
These are relevant parts of lsblk and mount. The first one is a USB HDD. Note
how it is reported as non-removable in 3-rd column of lsblk — RM (which is
essentially sys/block/sdc/removable), thus rendering this flag unreliable. The
second one is a USB flash drive with correct removable flag. Both of them lacks
noexec options, and, even further, vfat flash drive has showexec option which
would mark all .exe, .cmd and .bat files as executable. These options are
HARDCODED in udisks and there is NO sane WAY to OVERRIDE them [1,2,3]. One could
try to mitigate this problem by adding an entry to /etc/fstab (which would
require root access), but it will be onnly applicable for ONE particualr device,
not for all USB mass storage, ergo not helpful at all. Huge problem here in both
checking and fixing the issue.

2) CD(DVD)-ROM(RW)

sr0         11:0    1 548.8M  0 rom   /run/media/ekolesni/Shopen
/dev/sr0 on /run/media/ekolesni/Shopen type iso9660
(ro,nosuid,nodev,relatime,norock,check=r,map=n,blocksize=2048,uid=1000,gid=1000,dmode=500,fmode=400,uhelper=udisks2)

The template is already operating on these types of devices, but we also
should be aware that is also could be USB drive, which would mean that /dev/sr0
drive might be absent in addidtion to the media itself. Udisks remark is also
fully applicable here.

I think that ATM, we should fix the description of the rule to match what it is
really trying to do (check CD-ROMs), and fix it to do it properly (best effort).
Everytig else I would consider as an improvement of the rule (pretty
time-cosuming one) that should not be implemented during a bug-fixing cycle.

3) Card Readers

sda          8:0    1  29.6G  0 disk
└─sda1       8:1    1  29.6G  0 part  /run/media/ekolesni/SDHC
/dev/sda1 on /run/media/ekolesni/SDHC type fuseblk
(rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096,uhelper=udisks2)

This particular card reader is physically non-removable, but it is connected via
USB bus on the motherbords (regular situation) it is non-distinguishable from
its USB-plugged siblings. Removable media makes it a bit like CD-ROM device, but
in all other aspects it is more like USB Mass Storage devices. Udisks!

4) Virtual loop Devices

loop1        7:1    0   1.8G  1 loop
├─loop1p1  259:4    0   1.8G  1 part  /run/media/ekolesni/Fedora-WS-Live-31-1-9
├─loop1p2  259:5    0  10.6M  1 part
└─loop1p3  259:6    0  22.2M  1 part
/dev/loop1p1 on /run/media/ekolesni/Fedora-WS-Live-31-1-9 type iso9660
(ro,nosuid,nodev,relatime,nojoliet,check=s,map=n,blocksize=2048,uid=1000,gid=1000,dmode=500,fmode=400,uhelper=udisks2)

Loop devices are used to emulate block-based devices out of an image (usually
a file). An .iso file is a good example of this, and could be activated
by a user with help of gnome-disk-image-mounter (frontend for udisks
and losetup).

5) Network Shares, PTP and MTP for Smartphones (gvfs); Flatpack

All gvfs filesystems will end there:

gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse
(rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

The /etc/fstab nas nothing to do with these mount and it is not clear wheither
the rule should deal with them, but they are still filesystems and the lack
noexec for example).

Flatpack, huh!

/dev/fuse on /run/user/1000/doc type fuse
(rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

This filesystem is used for sharing contecnt between the host and Flatpack's
sandbox. No noexec. It will throw a wrench in the run-time state validation
as well by semantically being a device (/dev/fuse).


Appendix:

1) Non-removable system device (as an example)

nvme0n1                                       259:0    0 238.5G  0 disk
├─nvme0n1p1                                   259:1    0   200M  0
part  /boot/efi
├─nvme0n1p2                                   259:2    0     1G  0 part  /boot
└─nvme0n1p3                                   259:3    0 237.3G  0 part
  └─luks-aec1b607-5b8c-42bf-c19d-4811515be435 253:0    0 237.3G  0 crypt
    ├─fedora_localhost--live-root             253:1    0    70G  0 lvm   /
    ├─fedora_localhost--live-swap             253:2    0   7.9G  0 lvm   [SWAP]
    └─fedora_localhost--live-home             253:3    0 159.4G  0 lvm   /home
/dev/nvme0n1p1 on /boot/efi type vfat
(rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
/dev/nvme0n1p2 on /boot type ext4 (rw,relatime,seclabel)
/dev/mapper/fedora_localhost--live-root on / type ext4 (rw,relatime,seclabel)
/dev/mapper/fedora_localhost--live-home on /home type ext4
(rw,relatime,seclabel)

2) /etc/fstab

UUID=6b3513d4-d3cd-4cff-a8df-0a8b589c671f /boot     ext4  defaults
                       1 2
UUID=4C38-AC88                            /boot/efi vfat
umask=0077,shortname=winnt          0 2
/dev/mapper/fedora_localhost--live-root   /         ext4
defaults,x-systemd.device-timeout=0 1 1
/dev/mapper/fedora_localhost--live-home   /home     ext4
defaults,x-systemd.device-timeout=0 1 2
/dev/mapper/fedora_localhost--live-swap   none      swap
defaults,x-systemd.device-timeout=0 0 0


Links:

[1] - https://lists.freedesktop.org/archives/devkit-devel/2015-April/001668.html
[2] - https://bugs.freedesktop.org/show_bug.cgi?id=33461
[3] - 
https://unix.stackexchange.com/questions/155567/mounting-removable-usb-disks-with-nodev-noexec-nosuid
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org

Reply via email to