base-files: Mount debugfs and pstore with nosuid,nodev,noexec
authorHauke Mehrtens <hauke@hauke-m.de>
Thu, 14 Nov 2024 20:46:36 +0000 (21:46 +0100)
committerPetr Štetiar <ynezz@true.cz>
Thu, 28 Nov 2024 18:47:23 +0000 (18:47 +0000)
These permissions are not needed. Systemd also mounts these file systems
without these permissions on other Linux distributions.

Dropping these permissions should make the system more secure.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16960
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b88d51898d126d2f918cb476d4158e9fcd62492c)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
package/base-files/files/etc/init.d/boot

index 332a5c96f35c95622e8c2191a7d47bc076bb79ca..a26d4886b2873bc09995e50fc8d5931a3f238275 100755 (executable)
@@ -35,9 +35,9 @@ boot() {
        mkdir -p /tmp/resolv.conf.d
        touch /tmp/resolv.conf.d/resolv.conf.auto
        ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
-       grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
+       grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
        grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
-       grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
+       grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
        [ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
 
        touch /tmp/.config_pending