From 54bd60b67b477e5d5814293a74086dff1c21ac69 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Wed, 22 Jun 2022 12:23:10 +0000 Subject: [PATCH] Explicitly harden mount options of sensitive file systems MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit These were found to got lost after upgrading to Core Update 169, so we set them explicitly to avoid accidential security downgrades. https://lists.ipfire.org/pipermail/development/2022-June/013714.html Signed-off-by: Peter Müller --- src/initscripts/system/mountkernfs | 6 +++--- src/initscripts/system/udev | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/initscripts/system/mountkernfs b/src/initscripts/system/mountkernfs index d97b745be6..b660083ec4 100644 --- a/src/initscripts/system/mountkernfs +++ b/src/initscripts/system/mountkernfs @@ -28,17 +28,17 @@ case "${1}" in if ! mountpoint /proc &> /dev/null; then boot_mesg -n " /proc" ${NORMAL} - mount -n -t proc /proc /proc || failed=1 + mount -n -t proc -o nosuid,nodev,noexec /proc /proc || failed=1 fi if ! mountpoint /sys &> /dev/null; then boot_mesg -n " /sys" ${NORMAL} - mount -n -t sysfs /sys /sys || failed=1 + mount -n -t sysfs -o nosuid,nodev,noexec /sys /sys || failed=1 fi if ! mountpoint /run &> /dev/null; then boot_mesg -n " /run" ${NORMAL} - mount -n -t tmpfs -o nosuid,nodev,mode=755,size=8M /run /run || failed=1 + mount -n -t tmpfs -o nosuid,nodev,noexec,mode=755,size=8M /run /run || failed=1 fi if ! mountpoint /sys/fs/cgroup &> /dev/null; then diff --git a/src/initscripts/system/udev b/src/initscripts/system/udev index 2f6146e5df..b46ead196b 100644 --- a/src/initscripts/system/udev +++ b/src/initscripts/system/udev @@ -50,12 +50,12 @@ case "${1}" in if ! grep -q '[[:space:]]/dev/shm' /proc/mounts; then mkdir -p /dev/shm - mount -t tmpfs tmpfs /dev/shm + mount -t tmpfs tmpfs -o nosuid,nodev,noexec /dev/shm fi if ! grep -q '[[:space:]]/dev/pts' /proc/mounts; then mkdir -p /dev/pts - mount -t devpts devpts -o gid=5,mode=620 /dev/pts + mount -t devpts devpts -o nosuid,noexec,gid=5,mode=620 /dev/pts fi # Start the udev daemon to continually watch for, and act on, @@ -70,7 +70,6 @@ case "${1}" in # Now wait for udevd to process the uevents we triggered /bin/udevadm settle evaluate_retval - ;; restart) -- 2.39.5