diff --git a/src/initscripts/system/mountkernfs b/src/initscripts/system/mountkernfs
index d97b745be..b660083ec 100644
--- a/src/initscripts/system/mountkernfs
+++ b/src/initscripts/system/mountkernfs
@@ -28,17 +28,17 @@ case "${1}" in
 
 		if ! mountpoint /proc &> /dev/null; then
 			boot_mesg -n " /proc" ${NORMAL}
-			mount -n -t proc /proc /proc || failed=1
+			mount -n -t proc -o nosuid,nodev,noexec /proc /proc || failed=1
 		fi
 
 		if ! mountpoint /sys &> /dev/null; then
 			boot_mesg -n " /sys" ${NORMAL}
-			mount -n -t sysfs /sys /sys || failed=1
+			mount -n -t sysfs -o nosuid,nodev,noexec /sys /sys || failed=1
 		fi
 
 		if ! mountpoint /run &> /dev/null; then
 			boot_mesg -n " /run" ${NORMAL}
-			mount -n -t tmpfs -o nosuid,nodev,mode=755,size=8M /run /run || failed=1
+			mount -n -t tmpfs -o nosuid,nodev,noexec,mode=755,size=8M /run /run || failed=1
 		fi
 
 		if ! mountpoint /sys/fs/cgroup &> /dev/null; then
diff --git a/src/initscripts/system/udev b/src/initscripts/system/udev
index 2f6146e5d..b46ead196 100644
--- a/src/initscripts/system/udev
+++ b/src/initscripts/system/udev
@@ -50,12 +50,12 @@ case "${1}" in
 
 		if ! grep -q '[[:space:]]/dev/shm' /proc/mounts; then
 			mkdir -p /dev/shm
-			mount -t tmpfs tmpfs /dev/shm
+			mount -t tmpfs tmpfs -o nosuid,nodev,noexec /dev/shm
 		fi
 
 		if ! grep -q '[[:space:]]/dev/pts' /proc/mounts; then
 			mkdir -p /dev/pts
-			mount -t devpts devpts -o gid=5,mode=620 /dev/pts
+			mount -t devpts devpts -o nosuid,noexec,gid=5,mode=620 /dev/pts
 		fi
 
 		# Start the udev daemon to continually watch for, and act on,
@@ -70,7 +70,6 @@ case "${1}" in
 		# Now wait for udevd to process the uevents we triggered
 		/bin/udevadm settle
 		evaluate_retval
-
 		;;
 
 	restart)