git.ipfire.org Git - ipfire-2.x.git/commit

author	Peter Müller <peter.mueller@ipfire.org>
	Sat, 25 Jun 2022 22:20:48 +0000 (22:20 +0000)
committer	Peter Müller <peter.mueller@ipfire.org>
	Sat, 25 Jun 2022 22:20:48 +0000 (22:20 +0000)
commit	0664b1720d2d32f01ad9b9126450e35aa4d357df
tree	2ff1d70f045226d3fe6e178615ec5409fa2ca577	tree \| snapshot
parent	617bb64f6315b93f7b6dbbe7304ae634ca4fad78	commit \| diff

linux: Amend upstream patch to harden mount points of /dev

This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.

The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.

As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.

Fixes: #12889
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

config/kernel/kernel.config.aarch64-ipfire		diff \| blob \| blame \| history
config/kernel/kernel.config.armv6l-ipfire		diff \| blob \| blame \| history
config/kernel/kernel.config.riscv64-ipfire		diff \| blob \| blame \| history
config/kernel/kernel.config.x86_64-ipfire		diff \| blob \| blame \| history
lfs/linux		diff \| blob \| blame \| history
src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch	[new file with mode: 0644]	blob