From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 26 Apr 2023 14:55:42 +0000 (+0200)
Subject: units: restrict hugepages fs a bit
X-Git-Tag: v254-rc1~613
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e76b3d4ed2d716446f3670d40cfdcbb145cb52d7;p=thirdparty%2Fsystemd.git

units: restrict hugepages fs a bit

suid binaries and device nodes should not be placed there, hence forbid
it.

Of all the API VFS we mount from PID 1 or via a unit file this one is
the only one where we didn't add MS_NODEV/MS_NOSUID. Let's address that,
since there's really no reason why device nodes or suid binaries would
be placed in hugetlbfs.
---

diff --git a/units/dev-hugepages.mount b/units/dev-hugepages.mount
index 1a34da12859..88cd89d5634 100644
--- a/units/dev-hugepages.mount
+++ b/units/dev-hugepages.mount
@@ -21,3 +21,4 @@ ConditionVirtualization=!private-users
 What=hugetlbfs
 Where=/dev/hugepages
 Type=hugetlbfs
+Options=nosuid,nodev