linux: Amend upstream patch to harden mount points of /dev

This patch, which has been merged into the mainline Linux kernel, but not yet backported to the 5.15.x tree, precisely addresses our situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT. The only explanation I have for bug #12889 arising _now_ is that some component (dracut, maybe) changed its behaviour regarding remounting of already mounted special file systems. As current dracut won't (re)mount any file system already found to be mounted, this means that the mount options decided by the kernel remained untouched for /dev, hence being weak in terms of options hardening possible. As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes to kernel configurations have been simulated. Fixes: #12889 Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2026-04-17 06:23:00 +02:00 · 2022-06-25 22:20:48 +00:00
parent 617bb64f63
commit 0664b1720d
6 changed files with 101 additions and 0 deletions
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1810,6 +1810,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -1817,6 +1817,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -1417,6 +1417,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1822,6 +1822,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

@@ -7298,6 +7299,7 @@ CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
 CONFIG_CRYPTO_LIB_SHA256=y
 # end of Crypto library routines

+CONFIG_LIB_MEMNEQ=y
 CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch

+	# https://bugzilla.ipfire.org/show_bug.cgi?id=12889
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
--- a/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
+++ b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
@@ -0,0 +1,93 @@
+From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 22 Dec 2021 17:50:20 +0500
+Subject: devtmpfs: mount with noexec and nosuid
+
+devtmpfs is writable. Add the noexec and nosuid as default mount flags
+to prevent code execution from /dev. The systems who don't use systemd
+and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
+this patch. Other systems are fine with the udev solution.
+
+No sane program should be relying on executing from /dev. So this patch
+reduces the attack surface. It doesn't prevent any specific attack, but
+it reduces the possibility that someone can use /dev as a place to put
+executable code. Chrome OS has been carrying this patch for several
+years. It seems trivial and simple solution to improve the protection of
+/dev when CONFIG_DEVTMPFS_MOUNT=y.
+
+Original patch:
+https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/
+
+Cc: ellyjones@chromium.org
+Cc: Kay Sievers <kay@vrfy.org>
+Cc: Roland Eggner <edvx1@systemanalysen.net>
+Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/Kconfig    | 11 +++++++++++
+ drivers/base/devtmpfs.c | 10 ++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
+index ffcbe2bc460eb..6f04b831a5c04 100644
+--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
+@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT
+ 	  rescue mode with init=/bin/sh, even when the /dev directory
+ 	  on the rootfs is completely empty.
+ 
+config DEVTMPFS_SAFE
+	bool "Use nosuid,noexec mount options on devtmpfs"
+	depends on DEVTMPFS
+	help
+	  This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
+	  flags when mounting devtmpfs.
+
+	  Notice: If enabled, things like /dev/mem cannot be mmapped
+	  with the PROT_EXEC flag. This can break, for example, non-KMS
+	  video drivers.
+
+ config STANDALONE
+ 	bool "Select only drivers that don't need compile-time external firmware"
+ 	default y
+diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
+index 8be352ab4ddbf..1e2c2d3882e2c 100644
+--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
+@@ -29,6 +29,12 @@
+ #include <uapi/linux/mount.h>
+ #include "base.h"
+ 
+#ifdef CONFIG_DEVTMPFS_SAFE
+#define DEVTMPFS_MFLAGS       (MS_SILENT | MS_NOEXEC | MS_NOSUID)
+#else
+#define DEVTMPFS_MFLAGS       (MS_SILENT)
+#endif
+
+ static struct task_struct *thread;
+ 
+ static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
+@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void)
+ 	if (!thread)
+ 		return 0;
+ 
+-	err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);
+	err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ 	if (err)
+ 		printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
+ 	else
+@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p)
+ 	err = ksys_unshare(CLONE_NEWNS);
+ 	if (err)
+ 		goto out;
+-	err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);
+	err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ 	if (err)
+ 		goto out;
+ 	init_chdir("/.."); /* will traverse into overmounted root */
+-- 
+cgit 
+