[openwrt/openwrt] base-files: Mount debugfs and pstore with nosuid,nodev,noexec

LEDE Commits lede-commits at lists.infradead.org
Thu Nov 28 10:57:45 PST 2024 

ynezz pushed a commit to openwrt/openwrt.git, branch openwrt-24.10:
https://git.openwrt.org/7d4be068da502cd68f252cad73d18faf8e59e2a5

commit 7d4be068da502cd68f252cad73d18faf8e59e2a5
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Thu Nov 14 21:46:36 2024 +0100

    base-files: Mount debugfs and pstore with nosuid,nodev,noexec
    
    These permissions are not needed. Systemd also mounts these file systems
    without these permissions on other Linux distributions.
    
    Dropping these permissions should make the system more secure.
    
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
    Link: https://github.com/openwrt/openwrt/pull/16960
    Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
    (cherry picked from commit b88d51898d126d2f918cb476d4158e9fcd62492c)
    Link: https://github.com/openwrt/openwrt/pull/17097
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 package/base-files/files/etc/init.d/boot | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot
index 332a5c96f3..a26d4886b2 100755
--- a/package/base-files/files/etc/init.d/boot
+++ b/package/base-files/files/etc/init.d/boot
@@ -35,9 +35,9 @@ boot() {
 	mkdir -p /tmp/resolv.conf.d
 	touch /tmp/resolv.conf.d/resolv.conf.auto
 	ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
-	grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
+	grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
 	grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
-	grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
+	grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
 	[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
 
 	touch /tmp/.config_pending

More information about the lede-commits mailing list