@@ -61,7 +61,7 @@ early_mounts(void)
mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
mount("cgroup2", "/sys/fs/cgroup", "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME, "nsdelegate");
- mount("tmpfs", "/dev", "tmpfs", MS_NOATIME | MS_NOSUID, "mode=0755,size=512K");
+ mount("tmpfs", "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, "mode=0755,size=512K");
ignore(symlink("/tmp/shm", "/dev/shm"));
mkdir("/dev/pts", 0755);
mount("devpts", "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, "mode=600");
@@ -48,7 +48,7 @@ void procd_coldplug(void)
if (!is_container()) {
umount2("/dev/pts", MNT_DETACH);
umount2("/dev/", MNT_DETACH);
- mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755,size=512K");
+ mount("tmpfs", "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, "mode=0755,size=512K");
mkdir("/dev/pts", 0755);
mount("devpts", "/dev/pts", "devpts", MS_NOEXEC | MS_NOSUID, 0);
}
/dev is writeable. Allowing execution inside it makes it a possible attack vector. Kees Cook recently sent a kernel patch [1] in order to mount /dev as noexec and nosuid for systems which rely on CONFIG_DEVTMPFS_MOUNT=y to create/populate /dev, which isn't our case (it's procd's responsibility). Add noexec to the /dev mount flags, since we already use nosuid (and keep the coldplug flags symmetric, while at it). This carries the risk of breaking very old, pre-KMS graphics drivers [2], but it shouldn't be a problem for systems built in the last ~15 years. The vast majority of our targets doesn't have a GPU, anyway. :) [1] https://lore.kernel.org/all/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/ [2] https://lore.kernel.org/all/CAPXgP12e5LpN6XVxaXOHhH=u8XXN==2reTaJDCoCk4tP4QduDQ@mail.gmail.com/ Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> --- initd/early.c | 2 +- plug/coldplug.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)