procd: mount /dev with noexec
/dev is writable. Allowing execution inside it makes it a possible attack
vector. Kees Cook recently sent a kernel patch [1] in order to mount /dev as
noexec and nosuid for systems which rely on CONFIG_DEVTMPFS_MOUNT=y to
create/populate /dev, which isn't our case (it's procd's responsibility).
Add noexec to the /dev mount flags, since we already use nosuid (and keep the
coldplug flags symmetric, while at it). This carries the risk of breaking very
old, pre-KMS graphics drivers [2], but it shouldn't be a problem for systems
built in the last ~15 years. The vast majority of our targets doesn't have a
GPU, anyway. :)
[1] https://lore.kernel.org/all/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/
[2] https://lore.kernel.org/all/CAPXgP12e5LpN6XVxaXOHhH=u8XXN==2reTaJDCoCk4tP4QduDQ@mail.gmail.com/
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
projects / project / procd.git / commit