V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -94,6 +94,7 @@ image: "linux-image-amd64"     # Could be a meta-package or a specific image lik
                                # "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
                                # "linux-image-rt-amd64" || "linux-image-rt-arm64"
                                # "linux-image-6.12.30+bpo-amd64"
+needrun: false                 # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
 
 ################################################################################################################################
 # Dropbear settings
@@ -156,11 +157,11 @@ grub_parameter:
 
   ##############################################################################################################################
   # Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to access stale data contents.
-  # iommu.passthrough=0
+  # - 'iommu.passthrough=0'
   # Prevents devices from operating in identity-mapped passthrough mode. Without this parameter (or with =1), devices could be
   # passed through without being monitored by the IOMMU in a truly restrictive manner. From a security standpoint,
-  # iommu.passthrough=0 is an important step toward DMA isolation for all devices, especially for untrusted PCI(e) devices.
+  # - 'iommu.passthrough=0' is an important step toward DMA isolation for all devices, especially for untrusted PCI(e) devices.
-  # iommu.strict=1
+  # - 'iommu.strict=1'
   # Enables Strict Mode for dma-iommu.c (i.e., all DMA transactions are validated synchronously). Without this parameter, the
   # kernel often runs in lazy mode, where mapping caches are used.
   # Performance vs. security: strict=1= more secure, but potentially slower, especially with many small DMA transfers.

ciss_debian_installer.sh

@@ -210,9 +210,9 @@ uuid_logger
 echo "MAIN PROGRAM SEQUENCE: func_debootstrap() ..."
 func_debootstrap
 echo "MAIN PROGRAM SEQUENCE: configure_system() ..."
-configure_system
+configure_system  # TODO: 4020() Command: [mkdir -p /etc/systemd/system/multi-user.target.wants] failed in: '/target'.
 echo "MAIN PROGRAM SEQUENCE: generate_fstab() ..."
-generate_fstab    # TODO: Checks ongoing.
+generate_fstab    # TODO: Checks ongoing. Format errors. SWAP missing
 echo "MAIN PROGRAM SEQUENCE: generate_crypttab() ..."
 generate_crypttab # TODO: Checks ongoing.
 echo "MAIN PROGRAM SEQUENCE: generate_sources() ..."

func/helper/1080_helper_chroot.sh

@@ -14,9 +14,9 @@ guard_sourcing
 
 #######################################
 # Use do_in_target() for:
-#   simple commands (e.g., dpkg, ln, mkdir, apt, etc.)
+#   - simple commands (e.g., dpkg, ln, mkdir, apt, etc.).
 # Use do_in_target_script() for:
-#   all shell scripts, redirects, pipes, conditions, loops, or subshells
+#   - all shell scripts, redirects, pipes, conditions, loops, or subshells.
 #######################################
 
 #######################################
@@ -32,34 +32,52 @@ guard_sourcing
 #   ERR_CHRT_COMMAND: on failure
 #######################################
 do_in_target() {
-  declare var_chroot_target="$1"
+  declare    var_chroot_target="$1"; shift
-  shift
   declare -a ary_chroot_command=("$@")
+  declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+  declare -i var_chroot_rc=0
 
   if (( ${#ary_chroot_command[@]} == 0 )); then
-    do_log "emergency" "file_only" "Empty command passed to 'do_in_target()'."
+
+    do_log "emergency" "file_only" "1080() Empty command passed to 'do_in_target()'."
     return "${ERR_CHRT_COMMAND}"
+
   fi
 
-  if chroot "${var_chroot_target}" /usr/bin/env -i \
+  if ! chroot "${var_chroot_target}" /usr/bin/env -i PATH="${var_default_path}" which "${ary_chroot_command[0]}" &>/dev/null; then
-    HOME=/root \
+
-    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
+    do_log "emergency" "file_only" "1080() Binary: '${ary_chroot_command[0]}' not found in target 'PATH=${var_default_path}'."
-    TERM="${TERM}" \
+    do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i PATH=${var_default_path} which ${ary_chroot_command[0]} &>/dev/null]."
-    LANG=C.UTF-8 \
-    LC_ALL=C.UTF-8 \
-    "${ary_chroot_command[@]}"
-  then
-    do_log "info" "file_only" "Success: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
-    return 0
-  else
-    do_log "emergency" "file_only" "Failed: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
     return "${ERR_CHRT_COMMAND}"
+
+  fi
+
+  if ! chroot "${var_chroot_target}" /usr/bin/env -i \
+    HOME="/root" \
+    PATH="${var_default_path}" \
+    TERM="${TERM}" \
+    LANG="C.UTF-8" \
+    LC_ALL="C.UTF-8" \
+    "${ary_chroot_command[@]}"
+
+  then
+
+    var_chroot_rc="${?}"
+    do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 ${ary_chroot_command[*]}] failed."
+    do_log "emergency" "file_only" "1080() Command: [Return code: '${var_chroot_rc}']."
+    return "${ERR_CHRT_COMMAND}"
+
+  else
+
+    do_log "info" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 ${ary_chroot_command[*]}] successful."
+    return 0
+
   fi
 }
 
 #######################################
 # Execute a full shell script line inside the chroot via bash -c.
-# Supports interactive debug shell on error.
+# TODO: Supports interactive debug shell on error.
 # Globals:
 #   ERR_CHRT_COMMAND
 #   TERM
@@ -72,43 +90,44 @@ do_in_target() {
 #   ERR_CHRT_COMMAND: on failure
 #######################################
 do_in_target_script() {
-  declare var_chroot_target="$1"
+  declare    var_chroot_target="$1"; shift
-  shift
   declare    var_chroot_script="$1"
+  declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+  declare -i var_chroot_rc=0
 
   if [[ -z "${var_chroot_script}" ]]; then
-    do_log "emergency" "file_only" "Empty command passed to 'do_in_target_script()'."
+
+    do_log "emergency" "file_only" "1080() Empty command passed to 'do_in_target_script()'."
     return "${ERR_CHRT_COMMAND}"
+
   fi
 
-  # do_log "debug" "file_only" "Evaluating chroot script in '${var_chroot_target}': '${var_chroot_script}'."
+  if ! chroot "${var_chroot_target}" /usr/bin/env -i \
-
+    HOME="/root" \
-  if chroot "${var_chroot_target}" /usr/bin/env -i \
+    PATH="${var_default_path}" \
-    HOME=/root \
-    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
     TERM="${TERM}" \
-    LANG=C.UTF-8 \
+    LANG="C.UTF-8" \
-    LC_ALL=C.UTF-8 \
+    LC_ALL="C.UTF-8" \
     /bin/bash -c "${var_chroot_script}"
 
   then
 
-    do_log "info" "file_only" "Success: chroot '${var_chroot_target}': '${var_chroot_script}'."
+    var_chroot_rc="${?}"
-    return 0
+    do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 /bin/bash -c ${var_chroot_script}] failed."
-
+    do_log "emergency" "file_only" "1080() Command: [Return code: '${var_chroot_rc}']."
-  else
+    return "${ERR_CHRT_COMMAND}"
-
-    declare -i var_chroot_rc="${?}"
-    do_log "emergency" "file_only" "Failure: chroot '${var_chroot_target}': '${var_chroot_script}'."
-    do_log "info" "file_only" "Return code: '${var_chroot_rc}'."
 
     # TODO: Test with Dialog Wrapper in interactive mode.
+    # TODO: Call clean screen first to terminate dialog wrapper !
     #if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
     #  do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
     #  chroot "${var_chroot_target}" /bin/bash -l
     #fi
 
-    return "${ERR_CHRT_COMMAND}"
+  else
+
+    do_log "info" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 /bin/bash -c ${var_chroot_script}] successful."
+    return 0
 
   fi
 }

func/helper/1251_yaml_reader.sh

@@ -32,50 +32,120 @@ guard_sourcing
 #######################################
 yaml_reader() {
   ### Declare Arrays, HashMaps, and Variables.
+  # shellcheck disable=SC2034
   declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
-              VAR_RECIPE_TABLE=""
+              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false"
-
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
-  ### Search pattern for variables (recipe_<string>_active='true')
-  declare -r  var_search_pattern="^recipe_.*_active='true'"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
               recipe_firmware_var="" recipe_nuke_var="" recipe_table_var=""
 
-  ### Read "${var_if}" line by line
+  ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
-    ### Check, if line matches the search pattern
+
+    ### Check, if line matches the search pattern.
     if [[ "${var_line}" =~ ^recipe_([^_]+)_active=\'true\' ]]; then
+
       var_middle_part="${BASH_REMATCH[1]}"
       VAR_RECIPE_STRING="${var_middle_part}"
       break
+
     fi
-    #if [[ "${var_line}" =~ ${var_search_pattern} ]]; then
+
-    #  ### Extract the middle part or second position
-    #  var_middle_part=$(echo "${var_line}" | sed -E "s/^recipe_([^_]+)_active='true'/\1/")
-    #  VAR_RECIPE_STRING="${var_middle_part}"
-    #  ### Exit after first occurrence
-    #  break
-    #fi
   done < "${var_if}"
 
   if [[ -n "${VAR_RECIPE_STRING}" ]]; then
+
     do_log "info" "file_only" "1251() Found active recipe string: '${VAR_RECIPE_STRING}'."
+
   else
+
     do_log "fatal" "file_only" "1251() Found NO active recipe string: '${VAR_RECIPE_STRING}'."
     exit "${ERR_NO_VALID_RECIPE}"
+
   fi
 
+  ### Search "${var_if}" for matching recipe_${VAR_RECIPE_STRING}_dev_* entries and find the highest dev letter.
+  # shellcheck disable=SC2312
+  var_highest_dev=$(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}" | awk -F'_' '
+{
+  if (NF >= 4) {
+    ### Extract 4th position (e.g., "recipe_${VAR_RECIPE_STRING}_dev_sda" or "recipe_${VAR_RECIPE_STRING}_dev_vda")
+    device_field = $4
+    ### Check, if field is at least 3 char wide and last char contains a letter
+    if (length(device_field) >= 3) {
+      last_char = substr(device_field, length(device_field), 1)  ### Extract last letter of respective field
+      if (last_char ~ /^[a-z]$/ && last_char > max) {
+        max = last_char
+      }
+    }
+  }
+}
+END { print max }
+')
+
+  ### Save the result in VAR_RECIPE_HIGHEST_DEVICE.
+  VAR_RECIPE_HIGHEST_DEVICE="${var_highest_dev}"
+
+  if [[ -n "${VAR_RECIPE_HIGHEST_DEVICE}" ]]; then
+
+    do_log "info" "file_only" "1251() Found highest recipe device: '${VAR_RECIPE_HIGHEST_DEVICE}'."
+
+  else
+
+    do_log "fatal" "file_only" "1251() Found NO highest recipe device: '${VAR_RECIPE_HIGHEST_DEVICE}'."
+    exit "${ERR_NO_VALID_RECIPE}"
+
+  fi
+
+  ### Read var_if and iterate through all matching entries without executing in a subshell
+  # shellcheck disable=SC2312
+  while read -r var_line; do
+    ### Extract fields of line
+    IFS='_' read -ra var_fields <<< "${var_line}"
+
+    ### Check that enough fields are available
+    if [[ "${#var_fields[@]}" -ge 5 ]]; then
+      var_device="${var_fields[3]}"    ### The fourth position includes the device (e.g., sda, vda, xvda)
+      var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13)
+
+      ### Check, if the partition is a number and higher than the current value
+      if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then
+        declare -i cur="${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0}"
+        if (( var_partition > cur )); then
+
+        #if [[ -z "${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-}" || "${var_partition}" -gt ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0} ]]; then
+          # shellcheck disable=SC2004
+          HMP_RECIPE_DEV_PARTITIONS[${var_device}]="${var_partition}"
+        fi
+
+      fi
+
+    fi
+  done < <(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}")
+
+  for var_device in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
+
+    do_log "info" "file_only" "1251() Highest number of partitions: [${var_device}:${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}]."
+
+  done
+
   ### Extract architecture.
+  # shellcheck disable=SC2034
   VAR_ARCHITECTURE="${architecture}"
 
+  ### Extract chroot secure '/run' mounting strategy.
+  # shellcheck disable=SC2034
+  VAR_NEED_RUN_IN_TARGET="${needrun}"
+
   ### Extract chosen firmware.
   recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
   VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
 
   ### Extract the chosen Nuke mechanism.
   recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
+  # shellcheck disable=SC2034
   VAR_NUKE="${!recipe_nuke_var}"
 
   ### Extract chosen partition table.

func/system/4020_configure_system.sh

@@ -17,6 +17,8 @@ guard_sourcing
 # Globals:
 #   ERR_CHRT_MOUNTS
 #   TARGET
+#   VAR_CHROOT_ACTIVATED
+#   VAR_NEED_RUN_IN_TARGET
 # Arguments:
 #   None
 # Returns:
@@ -26,34 +28,93 @@ guard_sourcing
 configure_system() {
 
   ### Notes
+  # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
   # --rbind: recursive binding.
   # --make-rslave: In this case, the mount point is marked as 'slave'.
-  # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}"/proc).
+  # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
   # Conversely, changes to the target mount are not propagated back to the source mount.
   # This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
+  #
+  # Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
+  # like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
+  # enforce proper runtime behavior in the chroot.
 
-  declare    var_src="" var_dst=""
+  ### Declare Arrays, HashMaps, and Variables.
-  declare -a ary_mounts=(proc sys dev run)
+  declare -A  HMP_SPECIAL_MOUNTS=(
+    ["/dev/pts"]="devpts devpts noexec,nosuid"                           ### Mount 'devpts' (used by pseudo-terminals).
+    ["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev"                           ### Mount 'tmpfs' for '/dev/shm' (shared memory).
+    ["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec"               ### Mount 'mqueue' for POSIX message queues.
+    ["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev"             ### Mount 'hugetlbfs' (huge pages, may be unused but required on some 'archs').
+    ["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" ### Mount unified 'cgroup2' hierarchy.
+  )
 
-  for var_src in "${ary_mounts[@]}"; do
+  declare -a  ary_mount=( "/proc" "/sys" "/dev" )
-    var_dst="${TARGET}/${var_src}"
+  declare     var_src="" var_dst="" var_path="" var_fs="" var_opts=""
-    mkdir -p "${var_dst}"
 
-    if ! mount --make-rslave --rbind "/${var_src}" "${var_dst}"; then
+  for var_path in "${ary_mount[@]}" "${!HMP_SPECIAL_MOUNTS[@]}"; do
-      do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind /${var_src} ${var_dst}] failed."
+
+    mkdir -p "${TARGET}${var_path}"
+
+  done
+
+  for var_src in "${ary_mount[@]}"; do
+    var_dst="${TARGET}${var_src}"
+
+    if ! mount --make-rslave --rbind "${var_src}" "${var_dst}"; then
+
+      do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind ${var_src} ${var_dst}] failed."
       return "${ERR_CHRT_MOUNTS}"
+
     fi
 
-    do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind /${var_src} ${var_dst}] successful."
+    do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind ${var_src} ${var_dst}] successful."
+
+  done
+
+  if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
+
+    mkdir -p "${TARGET}/run"
+
+    if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
+
+      do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
+      return "${ERR_CHRT_MOUNTS}"
+
+    fi
+
+    do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
+
+  fi
+
+  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
+
+    IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
+
+    if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
+
+      do_log "emergency" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
+      return "${ERR_CHRT_MOUNTS}"
+
+    else
+
+      do_log "info" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
+
+    fi
 
   done
 
   if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
+
+    do_log "emergency" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
     return "${ERR_CHRT_MOUNTS}"
+
+  else
+
+    do_log "info" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
+
   fi
 
-  do_log "info" "file_only" "4020() Command: [mkdir -p /etc/systemd/system/multi-user.target.wants] failed in: '${TARGET}'."
+  # shellcheck disable=SC2034
-
   declare -gx VAR_CHROOT_ACTIVATED="system"
 
   return 0

func/system/4040_generate_fstab.sh

@@ -30,12 +30,12 @@ write_fstab() {
 
   if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
 
-    printf "%-43s%-28s%-8s%-74s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
+    printf "%-43s%-28s%-8s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
     do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
 
   elif [[ "${write_maps}" == /dev/mapper/* ]]; then
 
-    printf "%-43s%-28s%-8s%-74s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
+    printf "%-43s%-28s%-8s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
     do_log "info" "file_only" "4040() fstab entry generated: [${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
 
   fi
@@ -67,7 +67,7 @@ generate_fstab() {
   : >| "${TARGET}/etc/fstab"
   chmod 0600 "${TARGET}/etc/fstab"
 
-  cat << 'EOF' >> "${TARGET}/etc/fstab"
+  cat << "EOF" >> "${TARGET}/etc/fstab"
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -79,6 +79,8 @@ generate_fstab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+# CISS.debian.installer ${VAR_VERSION}
+
 # Static file system information '/etc/fstab'.
 #
 # Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
@@ -89,19 +91,6 @@ generate_fstab() {
 #
 # <file system UUID>                       <mount point>               <type>  <options>                                                                                           <dump> <pass>
 
-### Secure tmpfs mounts for a hardened system
-
-# Mount the proc filesystem to provide process and kernel information
-proc                                       /proc                       proc    nodev,nosuid,noexec,hidepid=2                                             0 0
-# Mount sysfs to expose kernel device information to user space
-sysfs                                      /sys                        sysfs   defaults                                                                  0 0
-# Mount the devpts filesystem to enable pseudo-terminal support for user sessions
-devpts                                     /dev/pts                    devpts  gid=5,mode=620                                                            0 0
-# Restrict /dev/shm to shared memory, limit size, prevent code execution
-tmpfs                                      /dev/shm                    tmpfs   rw,nodev,noexec,nosuid,relatime,size=1G                                   0 0
-# System runtime directory in RAM; do not set noexec here for compatibility
-tmpfs                                      /run                        tmpfs   mode=0755,nodev,nosuid                                                    0 0
-
 EOF
 
   ### Generate dynamic '${TARGET}/etc/fstab' entries.
@@ -109,15 +98,7 @@ EOF
 
     case "${var_path,,}" in
 
-      swap)
+      swap|SWAP) continue;;
-
-        var_dmapper="${HMP_EPHEMERAL_ENCLABEL["${var_path}"]}"
-        var_fs_uuid="/dev/mapper/${var_dmapper}"
-        var_fs_path="none"
-        var_fs_type="swap"
-        var_fs_opts="defaults"
-        var_fs_pass="0"
-        ;;
 
       /tmp)
 
@@ -172,6 +153,15 @@ EOF
 
   done
 
+  ### Generate separate SWAP entry.
+  var_dmapper="${HMP_EPHEMERAL_ENCLABEL["SWAP"]}"
+  var_fs_uuid="/dev/mapper/${var_dmapper}"
+  var_fs_path="none"
+  var_fs_type="swap"
+  var_fs_opts="defaults"
+  var_fs_pass="0"
+  write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
+
   cat << 'EOF' >> "${TARGET}/etc/fstab"
 
 /dev/sr0                                   /media/cdrom0  udf,iso9660  user,noauto                                                                                                 0 0
@@ -179,16 +169,37 @@ EOF
 EOF
   do_log "info" "file_only" "fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
 
+  cat << 'EOF' >> "${TARGET}/etc/fstab"
+### Secure tmpfs mounts for a hardened system
+
+# Mount the proc filesystem to provide process and kernel information
+proc                                       /proc                       proc    nodev,nosuid,noexec,hidepid=2                                                                       0 0
+# Mount sysfs to expose kernel device information to user space
+sysfs                                      /sys                        sysfs   defaults                                                                                            0 0
+# Mount the devpts filesystem to enable pseudo-terminal support for user sessions
+devpts                                     /dev/pts                    devpts  gid=5,mode=620                                                                                      0 0
+# Restrict /dev/shm to shared memory, limit size, prevent code execution
+tmpfs                                      /dev/shm                    tmpfs   rw,nodev,noexec,nosuid,relatime,size=1G                                                             0 0
+# System runtime directory in RAM; do not set noexec here for compatibility
+tmpfs                                      /run                        tmpfs   mode=0755,nodev,nosuid                                                                              0 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=192 ft=sh
+EOF
+
   : >| "${DIR_LOG}/fstab.verify.log"
   chmod 0600 "${DIR_LOG}/fstab.verify.log"
 
-  do_in_target_script "${TARGET}" 'systemd-analyze verify /etc/fstab' >> "${DIR_LOG}/fstab.verify.log" 2>&1
+  do_in_target_script "${TARGET}" "systemd-analyze verify /etc/fstab >> ${DIR_LOG}/fstab.verify.log" 2>&1
   rc="$?"
 
   if (( rc == 0 )); then
+
     do_log "info" "file_only" "4040() '/etc/fstab' verified successfully with systemd-analyze."
+
   else
+
     do_log "warning" "file_only" "4040() '/etc/fstab' verification returned errors — see '${DIR_LOG}/fstab.verify.log'."
+
   fi
 
   return 0

func/system/4999_exiting_chroot_system.sh

@@ -13,23 +13,33 @@
 guard_sourcing
 
 #######################################
-# Exiting chroot.
+# Exiting chroot of the target system.
 # Globals:
 #   TARGET
+#   VAR_NEED_RUN_IN_TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 exiting_chroot_system() {
-  umount -lf "${TARGET}/proc"
+  ### Declare Arrays, HashMaps, and Variables.
-  do_log "info" "file_only" "'umount -lf ${TARGET}/proc'."
+  declare -a ary_umount=( "/sys/fs/cgroup" "/dev/hugepages" "/dev/mqueue" "/dev/shm" "/dev/pts" "/proc" "/sys" "/dev" )
-  umount -lf "${TARGET}/sys"
+  declare    var_path=""
-  do_log "info" "file_only" "'umount -lf ${TARGET}/sys'."
+
-  umount -lf "${TARGET}/dev"
+  for var_path in "${ary_umount[@]}"; do
-  do_log "info" "file_only" "'umount -lf ${TARGET}/dev'."
+
-  umount -lf "${TARGET}/run"
+    umount -l "${TARGET}${var_path}" 2>/dev/null || true
-  do_log "info" "file_only" "'umount -lf ${TARGET}/run'."
+    do_log "info" "file_only" "4999() Command: [umount -l ${TARGET}${var_path} 2>/dev/null || true] issued."
+
+  done
+
+  if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
+
+    umount -l "${TARGET}/run" 2>/dev/null || true
+    do_log "info" "file_only" "4999() Command: [umount -l ${TARGET}/run 2>/dev/null || true] issued."
+
+  fi
 
   return 0
 }

var/global.var.sh

@@ -46,10 +46,11 @@ declare -grx VAR_PRESEED="${DIR_TMP}/combined.var"
 declare -grx VAR_SETUP_CONF="${DIR_CNF}/preseed.yaml"
 declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml"
 
-### Base mount paths for debootstrap.
+### Base mount paths and variables for debootstrap.
 declare -grx TARGET="/target"
 declare -grx RECOVERY="/recovery"
 declare -grx VAR_SAFE_MNT_BASE="/run/ciss/bootstrap"
+declare -gx  VAR_NEED_RUN_IN_TARGET="false"
 
 ### Default log level.
 declare -gx VAR_DEFAULT_LOG_LEVEL="info"