From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 7 Mar 2020 19:19:09 +0000 (+0200)
Subject: mount-setup: make /dev noexec
X-Git-Tag: v246-rc1~770
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b5b6826aa864f49cce8f5869328ab440541f6ac;p=thirdparty%2Fsystemd.git

mount-setup: make /dev noexec

/dev used to be mounted with "exec" flag due to /dev/MAKEDEV script but that's
history and it's now located in /sbin. mmap() with file descriptor to
"/dev/zero" (instead of modern mmap(,,,MAP_ANON...))  will still work.
---

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 5dfcb6158a4..284e3f6b077 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -64,7 +64,7 @@ static const MountPoint mount_table[] = {
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "proc",        "/proc",                     "proc",       NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_STRICTATIME,
+        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_NONE                   },