]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a02287e)
units: restrict hugepages fs a bit
authorLennart Poettering <lennart@poettering.net>
Wed, 26 Apr 2023 14:55:42 +0000 (16:55 +0200)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Thu, 27 Apr 2023 03:28:50 +0000 (12:28 +0900)
suid binaries and device nodes should not be placed there, hence forbid
it.

Of all the API VFS we mount from PID 1 or via a unit file this one is
the only one where we didn't add MS_NODEV/MS_NOSUID. Let's address that,
since there's really no reason why device nodes or suid binaries would
be placed in hugetlbfs.

units/dev-hugepages.mount patch | blob | blame | history

diff --git a/units/dev-hugepages.mount b/units/dev-hugepages.mount
index 1a34da128596848443c6868e6a07a480c043090b..88cd89d56349161cd8b37477944854404098117b 100644 (file)
--- a/units/dev-hugepages.mount
+++ b/units/dev-hugepages.mount
@@ -21,3 +21,4 @@ ConditionVirtualization=!private-users
 What=hugetlbfs
 Where=/dev/hugepages
 Type=hugetlbfs
+Options=nosuid,nodev
Unnamed repository; edit this file 'description' to name the repository.