]>
Commit | Line | Data |
---|---|---|
0664b172 PM |
1 | From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <keescook@chromium.org> | |
3 | Date: Wed, 22 Dec 2021 17:50:20 +0500 | |
4 | Subject: devtmpfs: mount with noexec and nosuid | |
5 | ||
6 | devtmpfs is writable. Add the noexec and nosuid as default mount flags | |
7 | to prevent code execution from /dev. The systems who don't use systemd | |
8 | and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by | |
9 | this patch. Other systems are fine with the udev solution. | |
10 | ||
11 | No sane program should be relying on executing from /dev. So this patch | |
12 | reduces the attack surface. It doesn't prevent any specific attack, but | |
13 | it reduces the possibility that someone can use /dev as a place to put | |
14 | executable code. Chrome OS has been carrying this patch for several | |
15 | years. It seems trivial and simple solution to improve the protection of | |
16 | /dev when CONFIG_DEVTMPFS_MOUNT=y. | |
17 | ||
18 | Original patch: | |
19 | https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ | |
20 | ||
21 | Cc: ellyjones@chromium.org | |
22 | Cc: Kay Sievers <kay@vrfy.org> | |
23 | Cc: Roland Eggner <edvx1@systemanalysen.net> | |
24 | Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com> | |
25 | Signed-off-by: Kees Cook <keescook@chromium.org> | |
26 | Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com> | |
27 | Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 | |
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
29 | --- | |
30 | drivers/base/Kconfig | 11 +++++++++++ | |
31 | drivers/base/devtmpfs.c | 10 ++++++++-- | |
32 | 2 files changed, 19 insertions(+), 2 deletions(-) | |
33 | ||
34 | diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig | |
35 | index ffcbe2bc460eb..6f04b831a5c04 100644 | |
36 | --- a/drivers/base/Kconfig | |
37 | +++ b/drivers/base/Kconfig | |
38 | @@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT | |
39 | rescue mode with init=/bin/sh, even when the /dev directory | |
40 | on the rootfs is completely empty. | |
41 | ||
42 | +config DEVTMPFS_SAFE | |
43 | + bool "Use nosuid,noexec mount options on devtmpfs" | |
44 | + depends on DEVTMPFS | |
45 | + help | |
46 | + This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount | |
47 | + flags when mounting devtmpfs. | |
48 | + | |
49 | + Notice: If enabled, things like /dev/mem cannot be mmapped | |
50 | + with the PROT_EXEC flag. This can break, for example, non-KMS | |
51 | + video drivers. | |
52 | + | |
53 | config STANDALONE | |
54 | bool "Select only drivers that don't need compile-time external firmware" | |
55 | default y | |
56 | diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c | |
57 | index 8be352ab4ddbf..1e2c2d3882e2c 100644 | |
58 | --- a/drivers/base/devtmpfs.c | |
59 | +++ b/drivers/base/devtmpfs.c | |
60 | @@ -29,6 +29,12 @@ | |
61 | #include <uapi/linux/mount.h> | |
62 | #include "base.h" | |
63 | ||
64 | +#ifdef CONFIG_DEVTMPFS_SAFE | |
65 | +#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID) | |
66 | +#else | |
67 | +#define DEVTMPFS_MFLAGS (MS_SILENT) | |
68 | +#endif | |
69 | + | |
70 | static struct task_struct *thread; | |
71 | ||
72 | static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT); | |
73 | @@ -363,7 +369,7 @@ int __init devtmpfs_mount(void) | |
74 | if (!thread) | |
75 | return 0; | |
76 | ||
77 | - err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL); | |
78 | + err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL); | |
79 | if (err) | |
80 | printk(KERN_INFO "devtmpfs: error mounting %i\n", err); | |
81 | else | |
82 | @@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p) | |
83 | err = ksys_unshare(CLONE_NEWNS); | |
84 | if (err) | |
85 | goto out; | |
86 | - err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL); | |
87 | + err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); | |
88 | if (err) | |
89 | goto out; | |
90 | init_chdir("/.."); /* will traverse into overmounted root */ | |
91 | -- | |
92 | cgit | |
93 |