From: Peter Müller <peter.mueller@ipfire.org>
Date: Wed, 22 Jun 2022 12:23:10 +0000 (+0000)
Subject: Explicitly harden mount options of sensitive file systems
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54bd60b67b477e5d5814293a74086dff1c21ac69;p=people%2Fms%2Fipfire-2.x.git

Explicitly harden mount options of sensitive file systems

These were found to got lost after upgrading to Core Update 169, so we
set them explicitly to avoid accidential security downgrades.

https://lists.ipfire.org/pipermail/development/2022-June/013714.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---

diff --git a/src/initscripts/system/mountkernfs b/src/initscripts/system/mountkernfs
index d97b745be6..b660083ec4 100644
--- a/src/initscripts/system/mountkernfs
+++ b/src/initscripts/system/mountkernfs
@@ -28,17 +28,17 @@ case "${1}" in
 
 		if ! mountpoint /proc &> /dev/null; then
 			boot_mesg -n " /proc" ${NORMAL}
-			mount -n -t proc /proc /proc || failed=1
+			mount -n -t proc -o nosuid,nodev,noexec /proc /proc || failed=1
 		fi
 
 		if ! mountpoint /sys &> /dev/null; then
 			boot_mesg -n " /sys" ${NORMAL}
-			mount -n -t sysfs /sys /sys || failed=1
+			mount -n -t sysfs -o nosuid,nodev,noexec /sys /sys || failed=1
 		fi
 
 		if ! mountpoint /run &> /dev/null; then
 			boot_mesg -n " /run" ${NORMAL}
-			mount -n -t tmpfs -o nosuid,nodev,mode=755,size=8M /run /run || failed=1
+			mount -n -t tmpfs -o nosuid,nodev,noexec,mode=755,size=8M /run /run || failed=1
 		fi
 
 		if ! mountpoint /sys/fs/cgroup &> /dev/null; then
diff --git a/src/initscripts/system/udev b/src/initscripts/system/udev
index 2f6146e5df..b46ead196b 100644
--- a/src/initscripts/system/udev
+++ b/src/initscripts/system/udev
@@ -50,12 +50,12 @@ case "${1}" in
 
 		if ! grep -q '[[:space:]]/dev/shm' /proc/mounts; then
 			mkdir -p /dev/shm
-			mount -t tmpfs tmpfs /dev/shm
+			mount -t tmpfs tmpfs -o nosuid,nodev,noexec /dev/shm
 		fi
 
 		if ! grep -q '[[:space:]]/dev/pts' /proc/mounts; then
 			mkdir -p /dev/pts
-			mount -t devpts devpts -o gid=5,mode=620 /dev/pts
+			mount -t devpts devpts -o nosuid,noexec,gid=5,mode=620 /dev/pts
 		fi
 
 		# Start the udev daemon to continually watch for, and act on,
@@ -70,7 +70,6 @@ case "${1}" in
 		# Now wait for udevd to process the uevents we triggered
 		/bin/udevadm settle
 		evaluate_retval
-
 		;;
 
 	restart)