base-files: Mount debugfs and pstore with nosuid,nodev,noexec

These permissions are not needed. Systemd also mounts these file systems
without these permissions on other Linux distributions.

Dropping these permissions should make the system more secure.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16960
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>

diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot
index 332a5c96f35c95622e8c2191a7d47bc076bb79ca..a26d4886b2873bc09995e50fc8d5931a3f238275 100755 (executable)
--- a/package/base-files/files/etc/init.d/boot
+++ b/package/base-files/files/etc/init.d/boot
@@ -35,9 +35,9 @@ boot() {
        mkdir -p /tmp/resolv.conf.d
        touch /tmp/resolv.conf.d/resolv.conf.auto
        ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
-       grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
+       grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
        grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
-       grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
+       grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
        [ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
 
        touch /tmp/.config_pending