diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index f475c4488..469884b20 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1810,6 +1810,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 6b33541c8..dc0aee51b 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -1817,6 +1817,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index f1364d143..0801f4389 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -1417,6 +1417,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 27ae709b1..06d98e325 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1822,6 +1822,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y @@ -7298,6 +7299,7 @@ CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m CONFIG_CRYPTO_LIB_SHA256=y # end of Crypto library routines +CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=y CONFIG_CRC16=y CONFIG_CRC_T10DIF=y diff --git a/lfs/linux b/lfs/linux index 50048a02f..384ed9d89 100644 --- a/lfs/linux +++ b/lfs/linux @@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # https://bugzilla.ipfire.org/show_bug.cgi?id=12760 cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch + # https://bugzilla.ipfire.org/show_bug.cgi?id=12889 + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch + ifeq "$(BUILD_ARCH)" "armv6l" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch new file mode 100644 index 000000000..222b7b6ea --- /dev/null +++ b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch @@ -0,0 +1,93 @@ +From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 22 Dec 2021 17:50:20 +0500 +Subject: devtmpfs: mount with noexec and nosuid + +devtmpfs is writable. Add the noexec and nosuid as default mount flags +to prevent code execution from /dev. The systems who don't use systemd +and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by +this patch. Other systems are fine with the udev solution. + +No sane program should be relying on executing from /dev. So this patch +reduces the attack surface. It doesn't prevent any specific attack, but +it reduces the possibility that someone can use /dev as a place to put +executable code. Chrome OS has been carrying this patch for several +years. It seems trivial and simple solution to improve the protection of +/dev when CONFIG_DEVTMPFS_MOUNT=y. + +Original patch: +https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ + +Cc: ellyjones@chromium.org +Cc: Kay Sievers +Cc: Roland Eggner +Co-developed-by: Muhammad Usama Anjum +Signed-off-by: Kees Cook +Signed-off-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/Kconfig | 11 +++++++++++ + drivers/base/devtmpfs.c | 10 ++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig +index ffcbe2bc460eb..6f04b831a5c04 100644 +--- a/drivers/base/Kconfig ++++ b/drivers/base/Kconfig +@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT + rescue mode with init=/bin/sh, even when the /dev directory + on the rootfs is completely empty. + ++config DEVTMPFS_SAFE ++ bool "Use nosuid,noexec mount options on devtmpfs" ++ depends on DEVTMPFS ++ help ++ This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount ++ flags when mounting devtmpfs. ++ ++ Notice: If enabled, things like /dev/mem cannot be mmapped ++ with the PROT_EXEC flag. This can break, for example, non-KMS ++ video drivers. ++ + config STANDALONE + bool "Select only drivers that don't need compile-time external firmware" + default y +diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c +index 8be352ab4ddbf..1e2c2d3882e2c 100644 +--- a/drivers/base/devtmpfs.c ++++ b/drivers/base/devtmpfs.c +@@ -29,6 +29,12 @@ + #include + #include "base.h" + ++#ifdef CONFIG_DEVTMPFS_SAFE ++#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID) ++#else ++#define DEVTMPFS_MFLAGS (MS_SILENT) ++#endif ++ + static struct task_struct *thread; + + static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT); +@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void) + if (!thread) + return 0; + +- err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL); ++ err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL); + if (err) + printk(KERN_INFO "devtmpfs: error mounting %i\n", err); + else +@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p) + err = ksys_unshare(CLONE_NEWNS); + if (err) + goto out; +- err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL); ++ err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); + if (err) + goto out; + init_chdir("/.."); /* will traverse into overmounted root */ +-- +cgit +