dissect-image: mount the ESP with fmask=0177 (#35871)

Avoid showing the files on the ESP (i.e. a FAT formatted volume) as
executable by removing the execute permission from them.

IMO this makes the colored output of `ls` more sensible since the file
system will be mounted with `noexec` anyway.

Add a `fstype_can_fmask_dmask` function that checks if a file system
type can use the `fmask` and `dmask` mount options.

This replaces `fstype_can_umask` since it was only used in
`partition_pick_mount_options` which only cares about the file system
support for fmask & dmask now.

It somewhat reduces the coverage of the feature since there are more file
systems that support umask as opposed to those supporting dmask & dmask,
but it should not be much of an issue since fmask & dmask are supported
by vfat, exfat and ntfs3.

diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c
index e8471d5974656a5264472d6f47c0c92424b5a094..15655cc075d98b1558972c696a1348cd8372c956 100644 (file)
--- a/src/basic/mountpoint-util.c
+++ b/src/basic/mountpoint-util.c
@@ -560,13 +560,13 @@ const char* fstype_norecovery_option(const char *fstype) {
         return mount_option_supported(fstype, "norecovery", NULL) > 0 ? "norecovery" : NULL;
 }
 
-bool fstype_can_umask(const char *fstype) {
+bool fstype_can_fmask_dmask(const char *fstype) {
         assert(fstype);
 
         /* Use a curated list as first check, to avoid calling fsopen() which might load kmods, which might
          * not be allowed in our MAC context. If we don't know ourselves, on new kernels we can just ask the
          * kernel. */
-        return streq(fstype, "vfat") || mount_option_supported(fstype, "umask", "0077") > 0;
+        return streq(fstype, "vfat") || (mount_option_supported(fstype, "fmask", "0177") > 0 && mount_option_supported(fstype, "dmask", "0077") > 0);
 }
 
 bool fstype_can_uid_gid(const char *fstype) {

diff --git a/src/basic/mountpoint-util.h b/src/basic/mountpoint-util.h
index c01f29095273d0d40b2caaac4d11d868b6896b84..f506e01a41761b379062387cd04faa3b068f141c 100644 (file)
--- a/src/basic/mountpoint-util.h
+++ b/src/basic/mountpoint-util.h
@@ -62,7 +62,7 @@ bool fstype_is_blockdev_backed(const char *fstype);
 bool fstype_is_ro(const char *fsype);
 bool fstype_can_discard(const char *fstype);
 bool fstype_can_uid_gid(const char *fstype);
-bool fstype_can_umask(const char *fstype);
+bool fstype_can_fmask_dmask(const char *fstype);
 
 const char* fstype_norecovery_option(const char *fstype);
 

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 937b678db41ef37a841a4b665650be798114af6c..ce1fa3a3d4eda50c35b532cae0c00a739a06bdc0 100644 (file)
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1891,8 +1891,8 @@ int partition_pick_mount_options(
 
                 /* The ESP might contain a pre-boot random seed. Let's make this unaccessible to regular
                  * userspace. ESP/XBOOTLDR is almost certainly VFAT, hence if we don't know assume it is. */
-                if (!fstype || fstype_can_umask(fstype))
-                        if (!strextend_with_separator(&options, ",", "umask=0077"))
+                if (!fstype || fstype_can_fmask_dmask(fstype))
+                        if (!strextend_with_separator(&options, ",", "fmask=0177,dmask=0077"))
                                 return -ENOMEM;
                 break;
 

diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
index 07c0480bce11ff018b4d5f9f91d191fa554f2811..89093d021244461f92b26f9cba00cc2f021eac43 100644 (file)
--- a/src/test/test-mountpoint-util.c
+++ b/src/test/test-mountpoint-util.c
@@ -389,9 +389,9 @@ TEST(fstype_can_norecovery) {
         ASSERT_NULL(fstype_norecovery_option("tmpfs"));
 }
 
-TEST(fstype_can_umask) {
-        assert_se(fstype_can_umask("vfat"));
-        assert_se(!fstype_can_umask("tmpfs"));
+TEST(fstype_can_fmask_dmask) {
+        assert_se(fstype_can_fmask_dmask("vfat"));
+        assert_se(!fstype_can_fmask_dmask("tmpfs"));
 }
 
 TEST(path_get_mnt_id_at_null) {