diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-12-11 12:28:44 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-12-11 12:34:36 +0100 |
| commit | c06f45b3d396c6a56a6f8871ba627664a8fd2b27 (patch) | |
| tree | 6c3904932267dc3f59306060d1ac9596e7c3781c | |
| parent | 5916c54a8dabd25efa0d78deef78fbfab684b8a4 (diff) | |
| download | systemd-dev-no-noexec.tar.gz | |
pid1: stop making /dev noexecdev-no-noexec
Quoting Andy Lutomirski:
> The upcoming Linux SGX driver has a device node /dev/sgx. User code opens
> it, does various setup things, mmaps it, and needs to be able to create
> PROT_EXEC mappings. This gets quite awkward if /dev is mounted noexec.
We already didn't use noexec in spawn, and this extends this behaviour to other
systems.
Afaik, the kernel would refuse execve() on a character or block device
anyway. Thus noexec on /dev matters only for actual binaries copied to /dev,
which requires root privileges in the first place.
We don't do noexec on either /tmp or /dev/shm (because that causes immediate
problems with stuff like Java and cffi). And if you have those two at your
disposal anyway, having noexec on /dev doesn't seem important. So the 'noexec'
attribute on /dev doesn't really mean much, since there are multiple other
similar directories which don't require root privileges to write to.
C.f. https://salsa.debian.org/kernel-team/initramfs-tools/-/commit/33c10ef43b03dc6d9ee09a46c598f6ee34ad0b81.
| -rw-r--r-- | src/core/mount-setup.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index 915b1016b8..1e4bbfb1ab 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -66,7 +66,7 @@ static const MountPoint mount_table[] = { NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, MNT_FATAL|MNT_IN_CONTAINER }, - { "devtmpfs", "/dev", "devtmpfs", "mode=755" TMPFS_LIMITS_DEV, MS_NOSUID|MS_NOEXEC|MS_STRICTATIME, + { "devtmpfs", "/dev", "devtmpfs", "mode=755" TMPFS_LIMITS_DEV, MS_NOSUID|MS_STRICTATIME, NULL, MNT_FATAL|MNT_IN_CONTAINER }, { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, MNT_NONE }, |