From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 25 Mar 2019 18:39:00 +0000 (+0100)
Subject: units: set nodev,nosuid,noexec flags for various secondary API VFS
X-Git-Tag: v242-rc1~64^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5cb02182fd875884ce27636e3c694705a525de94;p=thirdparty%2Fsystemd.git

units: set nodev,nosuid,noexec flags for various secondary API VFS

A couple of API VFS we mount via .mount units. Let's set the three flags
for those too, just in case.

This is just paranoia, nothing else, but shouldn't hurt.
---

diff --git a/units/dev-mqueue.mount b/units/dev-mqueue.mount
index be32433d6c8..0114ad31f0f 100644
--- a/units/dev-mqueue.mount
+++ b/units/dev-mqueue.mount
@@ -20,3 +20,4 @@ ConditionCapability=CAP_SYS_ADMIN
 What=mqueue
 Where=/dev/mqueue
 Type=mqueue
+Options=nosuid,nodev,noexec
diff --git a/units/proc-sys-fs-binfmt_misc.mount b/units/proc-sys-fs-binfmt_misc.mount
index 091191e1398..66229ec78ec 100644
--- a/units/proc-sys-fs-binfmt_misc.mount
+++ b/units/proc-sys-fs-binfmt_misc.mount
@@ -17,3 +17,4 @@ DefaultDependencies=no
 What=binfmt_misc
 Where=/proc/sys/fs/binfmt_misc
 Type=binfmt_misc
+Options=nosuid,nodev,noexec
diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount
index 7e7b05c3a2e..7bbc342be8e 100644
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@@ -22,3 +22,4 @@ Before=sysinit.target
 What=fusectl
 Where=/sys/fs/fuse/connections
 Type=fusectl
+Options=nosuid,nodev,noexec
diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount
index e213ca58b3f..e6997884dc9 100644
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@@ -21,3 +21,4 @@ Before=sysinit.target
 What=configfs
 Where=/sys/kernel/config
 Type=configfs
+Options=nosuid,nodev,noexec
diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount
index 53ce820b87b..618270ddae8 100644
--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@@ -20,3 +20,4 @@ Before=sysinit.target
 What=debugfs
 Where=/sys/kernel/debug
 Type=debugfs
+Options=nosuid,nodev,noexec