From: tomty89 Date: Tue, 23 May 2017 07:41:36 +0000 (+0800) Subject: nspawn: add nosuid and nodev to /tmp mount (#6004) X-Git-Tag: v234~173 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e8a94ce83ebc5e5fa0dd312d8340d589506528f9;p=thirdparty%2Fsystemd.git nspawn: add nosuid and nodev to /tmp mount (#6004) When automatic /tmp mount was introduced to nspawn in v219, it was done without having the nosuid and nodev mount options, which was the same case as systemd's default tmp.mount unit back then. nosuid and nodev was added to tmp.mount(.m4) in v231 for security reasons. matching the nspawn /tmp mount entry against that. Ref.: https://github.com/systemd/systemd/commit/2f9df7c96a25adb42093ee3ee201577f3e01da42 https://github.com/systemd/systemd/commit/bbb99c30d01a8bcdc27fb151cc6376a7877a6b07 --- diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index d2769941207..ac7290732e5 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -552,7 +552,7 @@ int mount_all(const char *dest, { NULL, "/proc/sysrq-trigger", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* ... then, make it r/o */ /* outer child mounts */ - { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, MOUNT_FATAL }, + { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, MOUNT_FATAL }, { "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS }, { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO }, /* skipped if above was mounted */ { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, MOUNT_FATAL }, /* skipped if above was mounted */