[openwrt/openwrt] base-files: Mount debugfs and pstore with nosuid,nodev,noexec
LEDE Commits
lede-commits at lists.infradead.org
Sat Nov 16 05:23:22 PST 2024
ansuel pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/b88d51898d126d2f918cb476d4158e9fcd62492c
commit b88d51898d126d2f918cb476d4158e9fcd62492c
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Thu Nov 14 21:46:36 2024 +0100
base-files: Mount debugfs and pstore with nosuid,nodev,noexec
These permissions are not needed. Systemd also mounts these file systems
without these permissions on other Linux distributions.
Dropping these permissions should make the system more secure.
Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16960
Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
---
package/base-files/files/etc/init.d/boot | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot
index 332a5c96f3..a26d4886b2 100755
--- a/package/base-files/files/etc/init.d/boot
+++ b/package/base-files/files/etc/init.d/boot
@@ -35,9 +35,9 @@ boot() {
mkdir -p /tmp/resolv.conf.d
touch /tmp/resolv.conf.d/resolv.conf.auto
ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
- grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
+ grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
- grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
+ grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
touch /tmp/.config_pending
More information about the lede-commits
mailing list