"btrfs");
}
+bool fstype_can_umask(const char *fstype) {
+ int r;
+
+ assert(fstype);
+
+ /* On new kernels we can just ask the kernel */
+ r = mount_option_supported(fstype, "umask", "0077");
+ if (r >= 0)
+ return r;
+
+ return streq(fstype, "vfat");
+}
+
bool fstype_can_uid_gid(const char *fstype) {
/* All file systems that have a uid=/gid= mount option that fixates the owners of all files and directories,
bool fstype_can_discard(const char *fstype);
bool fstype_can_uid_gid(const char *fstype);
bool fstype_can_norecovery(const char *fstype);
+bool fstype_can_umask(const char *fstype);
int dev_is_devtmpfs(void);
case PARTITION_XBOOTLDR:
flags |= MS_NOSUID|MS_NOEXEC|ms_nosymfollow_supported();
- if (!fstype || streq(fstype, "vfat"))
+ /* The ESP might contain a pre-boot random seed. Let's make this unaccessible to regular
+ * userspace. ESP/XBOOTLDR is almost certainly VFAT, hence if we don't know assume it is. */
+ if (!fstype || fstype_can_umask(fstype))
if (!strextend_with_separator(&options, ",", "umask=0077"))
return -ENOMEM;
break;
assert_se(!fstype_can_norecovery("tmpfs"));
}
+TEST(fstype_can_umask) {
+ assert_se(fstype_can_umask("vfat"));
+ assert_se(!fstype_can_umask("tmpfs"));
+}
+
static int intro(void) {
/* let's move into our own mount namespace with all propagation from the host turned off, so
* that /proc/self/mountinfo is static and constant for the whole time our test runs. */