--- /dev/null
+From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 22 Dec 2021 17:50:20 +0500
+Subject: devtmpfs: mount with noexec and nosuid
+
+devtmpfs is writable. Add the noexec and nosuid as default mount flags
+to prevent code execution from /dev. The systems who don't use systemd
+and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
+this patch. Other systems are fine with the udev solution.
+
+No sane program should be relying on executing from /dev. So this patch
+reduces the attack surface. It doesn't prevent any specific attack, but
+it reduces the possibility that someone can use /dev as a place to put
+executable code. Chrome OS has been carrying this patch for several
+years. It seems trivial and simple solution to improve the protection of
+/dev when CONFIG_DEVTMPFS_MOUNT=y.
+
+Original patch:
+https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/
+
+Cc: ellyjones@chromium.org
+Cc: Kay Sievers <kay@vrfy.org>
+Cc: Roland Eggner <edvx1@systemanalysen.net>
+Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/Kconfig | 11 +++++++++++
+ drivers/base/devtmpfs.c | 10 ++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
+index ffcbe2bc460eb..6f04b831a5c04 100644
+--- a/drivers/base/Kconfig
++++ b/drivers/base/Kconfig
+@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT
+ rescue mode with init=/bin/sh, even when the /dev directory
+ on the rootfs is completely empty.
+
++config DEVTMPFS_SAFE
++ bool "Use nosuid,noexec mount options on devtmpfs"
++ depends on DEVTMPFS
++ help
++ This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
++ flags when mounting devtmpfs.
++
++ Notice: If enabled, things like /dev/mem cannot be mmapped
++ with the PROT_EXEC flag. This can break, for example, non-KMS
++ video drivers.
++
+ config STANDALONE
+ bool "Select only drivers that don't need compile-time external firmware"
+ default y
+diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
+index 8be352ab4ddbf..1e2c2d3882e2c 100644
+--- a/drivers/base/devtmpfs.c
++++ b/drivers/base/devtmpfs.c
+@@ -29,6 +29,12 @@
+ #include <uapi/linux/mount.h>
+ #include "base.h"
+
++#ifdef CONFIG_DEVTMPFS_SAFE
++#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID)
++#else
++#define DEVTMPFS_MFLAGS (MS_SILENT)
++#endif
++
+ static struct task_struct *thread;
+
+ static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
+@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void)
+ if (!thread)
+ return 0;
+
+- err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);
++ err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ if (err)
+ printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
+ else
+@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p)
+ err = ksys_unshare(CLONE_NEWNS);
+ if (err)
+ goto out;
+- err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);
++ err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ if (err)
+ goto out;
+ init_chdir("/.."); /* will traverse into overmounted root */
+--
+cgit
+