Explicitly harden mount options of sensitive file systems

These were found to got lost after upgrading to Core Update 169, so we set them explicitly to avoid accidential security downgrades. https://lists.ipfire.org/pipermail/development/2022-June/013714.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2022-06-22 12:23:10 +00:00
parent 29cf82e6fc
commit 54bd60b67b
2 changed files with 5 additions and 6 deletions
--- a/src/initscripts/system/mountkernfs
+++ b/src/initscripts/system/mountkernfs
@@ -28,17 +28,17 @@ case "${1}" in

 		if ! mountpoint /proc &> /dev/null; then
 			boot_mesg -n " /proc" ${NORMAL}
-			mount -n -t proc /proc /proc || failed=1
+			mount -n -t proc -o nosuid,nodev,noexec /proc /proc || failed=1
 		fi

 		if ! mountpoint /sys &> /dev/null; then
 			boot_mesg -n " /sys" ${NORMAL}
-			mount -n -t sysfs /sys /sys || failed=1
+			mount -n -t sysfs -o nosuid,nodev,noexec /sys /sys || failed=1
 		fi

 		if ! mountpoint /run &> /dev/null; then
 			boot_mesg -n " /run" ${NORMAL}
-			mount -n -t tmpfs -o nosuid,nodev,mode=755,size=8M /run /run || failed=1
+			mount -n -t tmpfs -o nosuid,nodev,noexec,mode=755,size=8M /run /run || failed=1
 		fi

 		if ! mountpoint /sys/fs/cgroup &> /dev/null; then
--- a/src/initscripts/system/udev
+++ b/src/initscripts/system/udev
@@ -50,12 +50,12 @@ case "${1}" in

 		if ! grep -q '[[:space:]]/dev/shm' /proc/mounts; then
 			mkdir -p /dev/shm
-			mount -t tmpfs tmpfs /dev/shm
+			mount -t tmpfs tmpfs -o nosuid,nodev,noexec /dev/shm
 		fi

 		if ! grep -q '[[:space:]]/dev/pts' /proc/mounts; then
 			mkdir -p /dev/pts
-			mount -t devpts devpts -o gid=5,mode=620 /dev/pts
+			mount -t devpts devpts -o nosuid,noexec,gid=5,mode=620 /dev/pts
 		fi

 		# Start the udev daemon to continually watch for, and act on,
@@ -70,7 +70,6 @@ case "${1}" in
 		# Now wait for udevd to process the uevents we triggered
 		/bin/udevadm settle
 		evaluate_retval
-
 		;;

 	restart)