From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Thu, 14 Nov 2024 20:46:36 +0000 (+0100)
Subject: base-files: Mount debugfs and pstore with nosuid,nodev,noexec
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=7d4be068da502cd68f252cad73d18faf8e59e2a5;p=openwrt%2Fstaging%2Fblocktrron.git

base-files: Mount debugfs and pstore with nosuid,nodev,noexec

These permissions are not needed. Systemd also mounts these file systems
without these permissions on other Linux distributions.

Dropping these permissions should make the system more secure.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16960
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b88d51898d126d2f918cb476d4158e9fcd62492c)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---

diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot
index 332a5c96f3..a26d4886b2 100755
--- a/package/base-files/files/etc/init.d/boot
+++ b/package/base-files/files/etc/init.d/boot
@@ -35,9 +35,9 @@ boot() {
 	mkdir -p /tmp/resolv.conf.d
 	touch /tmp/resolv.conf.d/resolv.conf.auto
 	ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
-	grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
+	grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
 	grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
-	grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
+	grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
 	[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
 
 	touch /tmp/.config_pending