]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 29cf82e)
Explicitly harden mount options of sensitive file systems
authorPeter Müller <peter.mueller@ipfire.org>
Wed, 22 Jun 2022 12:23:10 +0000 (12:23 +0000)
committerPeter Müller <peter.mueller@ipfire.org>
Wed, 22 Jun 2022 12:23:10 +0000 (12:23 +0000)
These were found to got lost after upgrading to Core Update 169, so we
set them explicitly to avoid accidential security downgrades.

https://lists.ipfire.org/pipermail/development/2022-June/013714.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
src/initscripts/system/mountkernfs patch | blob | blame | history
src/initscripts/system/udev patch | blob | blame | history

diff --git a/src/initscripts/system/mountkernfs b/src/initscripts/system/mountkernfs
index d97b745be6e2f0821f175517eb12017bd9603a8b..b660083ec406792322c2d5d5465f7cb148a37730 100644 (file)
--- a/src/initscripts/system/mountkernfs
+++ b/src/initscripts/system/mountkernfs
@@ -28,17 +28,17 @@ case "${1}" in
 
                if ! mountpoint /proc &> /dev/null; then
                        boot_mesg -n " /proc" ${NORMAL}
-                       mount -n -t proc /proc /proc || failed=1
+                       mount -n -t proc -o nosuid,nodev,noexec /proc /proc || failed=1
                fi
 
                if ! mountpoint /sys &> /dev/null; then
                        boot_mesg -n " /sys" ${NORMAL}
-                       mount -n -t sysfs /sys /sys || failed=1
+                       mount -n -t sysfs -o nosuid,nodev,noexec /sys /sys || failed=1
                fi
 
                if ! mountpoint /run &> /dev/null; then
                        boot_mesg -n " /run" ${NORMAL}
-                       mount -n -t tmpfs -o nosuid,nodev,mode=755,size=8M /run /run || failed=1
+                       mount -n -t tmpfs -o nosuid,nodev,noexec,mode=755,size=8M /run /run || failed=1
                fi
 
                if ! mountpoint /sys/fs/cgroup &> /dev/null; then
diff --git a/src/initscripts/system/udev b/src/initscripts/system/udev
index 2f6146e5df811559230f1f2501552d08fac8a6af..b46ead196bf615839c6b9ac03281952c3cba4b42 100644 (file)
--- a/src/initscripts/system/udev
+++ b/src/initscripts/system/udev
@@ -50,12 +50,12 @@ case "${1}" in
 
                if ! grep -q '[[:space:]]/dev/shm' /proc/mounts; then
                        mkdir -p /dev/shm
-                       mount -t tmpfs tmpfs /dev/shm
+                       mount -t tmpfs tmpfs -o nosuid,nodev,noexec /dev/shm
                fi
 
                if ! grep -q '[[:space:]]/dev/pts' /proc/mounts; then
                        mkdir -p /dev/pts
-                       mount -t devpts devpts -o gid=5,mode=620 /dev/pts
+                       mount -t devpts devpts -o nosuid,noexec,gid=5,mode=620 /dev/pts
                fi
 
                # Start the udev daemon to continually watch for, and act on,
@@ -70,7 +70,6 @@ case "${1}" in
                # Now wait for udevd to process the uevents we triggered
                /bin/udevadm settle
                evaluate_retval
-
                ;;
 
        restart)
Peter's tree of IPFire 2.x