]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 60a3e98)
units: set nodev,nosuid,noexec flags for various secondary API VFS
authorLennart Poettering <lennart@poettering.net>
Mon, 25 Mar 2019 18:39:00 +0000 (19:39 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 25 Mar 2019 18:39:00 +0000 (19:39 +0100)
A couple of API VFS we mount via .mount units. Let's set the three flags
for those too, just in case.

This is just paranoia, nothing else, but shouldn't hurt.

units/dev-mqueue.mount patch | blob | blame | history
units/proc-sys-fs-binfmt_misc.mount patch | blob | blame | history
units/sys-fs-fuse-connections.mount patch | blob | blame | history
units/sys-kernel-config.mount patch | blob | blame | history
units/sys-kernel-debug.mount patch | blob | blame | history

diff --git a/units/dev-mqueue.mount b/units/dev-mqueue.mount
index be32433d6c8279e72052233a7d00ef2e57e797b3..0114ad31f0f6f2b8d087faf46da56a96c625b8ca 100644 (file)
--- a/units/dev-mqueue.mount
+++ b/units/dev-mqueue.mount
@@ -20,3 +20,4 @@ ConditionCapability=CAP_SYS_ADMIN
 What=mqueue
 Where=/dev/mqueue
 Type=mqueue
+Options=nosuid,nodev,noexec
diff --git a/units/proc-sys-fs-binfmt_misc.mount b/units/proc-sys-fs-binfmt_misc.mount
index 091191e1398e8bc58bb29c6029b84c265faaab0d..66229ec78ec38a9f8a0026fe47dd9a35061dd291 100644 (file)
--- a/units/proc-sys-fs-binfmt_misc.mount
+++ b/units/proc-sys-fs-binfmt_misc.mount
@@ -17,3 +17,4 @@ DefaultDependencies=no
 What=binfmt_misc
 Where=/proc/sys/fs/binfmt_misc
 Type=binfmt_misc
+Options=nosuid,nodev,noexec
diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount
index 7e7b05c3a2e978dbc7902db72f252e56d06d2fd5..7bbc342be8efe2338dd44a900e24d75d6b20ecf9 100644 (file)
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@@ -22,3 +22,4 @@ Before=sysinit.target
 What=fusectl
 Where=/sys/fs/fuse/connections
 Type=fusectl
+Options=nosuid,nodev,noexec
diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount
index e213ca58b3facd411f3668a77251f641ec415e6f..e6997884dc91b2507ad3edaa74705584ec580877 100644 (file)
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@@ -21,3 +21,4 @@ Before=sysinit.target
 What=configfs
 Where=/sys/kernel/config
 Type=configfs
+Options=nosuid,nodev,noexec
diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount
index 53ce820b87b7d919b7dc53fe0025c2c39c487a9f..618270ddae8ab75200d402b4ed9c25f481815517 100644 (file)
--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@@ -20,3 +20,4 @@ Before=sysinit.target
 What=debugfs
 Where=/sys/kernel/debug
 Type=debugfs
+Options=nosuid,nodev,noexec
Unnamed repository; edit this file 'description' to name the repository.