From 7d4be068da502cd68f252cad73d18faf8e59e2a5 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Thu, 14 Nov 2024 21:46:36 +0100 Subject: [PATCH] base-files: Mount debugfs and pstore with nosuid,nodev,noexec MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit These permissions are not needed. Systemd also mounts these file systems without these permissions on other Linux distributions. Dropping these permissions should make the system more secure. Signed-off-by: Hauke Mehrtens Link: https://github.com/openwrt/openwrt/pull/16960 Signed-off-by: Christian Marangi (cherry picked from commit b88d51898d126d2f918cb476d4158e9fcd62492c) Link: https://github.com/openwrt/openwrt/pull/17097 Signed-off-by: Petr Å tetiar --- package/base-files/files/etc/init.d/boot | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot index 332a5c96f3..a26d4886b2 100755 --- a/package/base-files/files/etc/init.d/boot +++ b/package/base-files/files/etc/init.d/boot @@ -35,9 +35,9 @@ boot() { mkdir -p /tmp/resolv.conf.d touch /tmp/resolv.conf.d/resolv.conf.auto ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf - grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug + grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf - grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore + grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore [ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe touch /tmp/.config_pending -- 2.30.2