gpt-auto: harden ESP/XBOOTLDR mounts with "noexec,nosuid,nodev"

When these partitions are probed by gpt-auto,
they will always be hardened with such options.

See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711

Closes #25776

diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index 458fd054ef7a4fd34f0d1ae28847d1a21367cfb4..98c0ca08106e9f511921d91e595fb3812f00f195 100644 (file)
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -424,14 +424,14 @@ static int add_automount(
 static const char *esp_or_xbootldr_options(const DissectedPartition *p) {
         assert(p);
 
-        /* if we probed vfat or have no idea about the file system then assume these file systems are vfat
-         * and thus understand "umask=0077". If we detected something else then don't specify any options and
-         * use kernel defaults. */
+        /* Discoveried ESP and XBOOTLDR partition are always hardened with "noexec,nosuid,nodev".
+         * If we probed vfat or have no idea about the file system then assume these file systems are vfat
+         * and thus understand "umask=0077". */
 
         if (!p->fstype || streq(p->fstype, "vfat"))
-                return "umask=0077";
+                return "umask=0077,noexec,nosuid,nodev";
 
-        return NULL;
+        return "noexec,nosuid,nodev";
 }
 
 static int add_partition_xbootldr(DissectedPartition *p) {