units: restrict hugepages fs a bit

suid binaries and device nodes should not be placed there, hence forbid it. Of all the API VFS we mount from PID 1 or via a unit file this one is the only one where we didn't add MS_NODEV/MS_NOSUID. Let's address that, since there's really no reason why device nodes or suid binaries would be placed in hugetlbfs.
author: Lennart Poettering <lennart@poettering.net> 2023-04-26 16:55:42 +0200
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2023-04-27 12:28:50 +0900
commit: e76b3d4ed2d716446f3670d40cfdcbb145cb52d7 (patch)
tree: bee560456d5bf99f443cd52d872b1b0bbaf7dac0 /units
parent: a02287eab3e883d7d2d8961e9651f5fef9a9eeac (diff)
download: systemd-e76b3d4ed2d716446f3670d40cfdcbb145cb52d7.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/units/dev-hugepages.mount b/units/dev-hugepages.mount
index 1a34da1285..88cd89d563 100644
--- a/units/dev-hugepages.mount
+++ b/units/dev-hugepages.mount
@@ -21,3 +21,4 @@ ConditionVirtualization=!private-users
 What=hugetlbfs
 Where=/dev/hugepages
 Type=hugetlbfs
+Options=nosuid,nodev
author	Lennart Poettering <lennart@poettering.net>	2023-04-26 16:55:42 +0200
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2023-04-27 12:28:50 +0900
commit	e76b3d4ed2d716446f3670d40cfdcbb145cb52d7 (patch)
tree	bee560456d5bf99f443cd52d872b1b0bbaf7dac0 /units
parent	a02287eab3e883d7d2d8961e9651f5fef9a9eeac (diff)
download	systemd-e76b3d4ed2d716446f3670d40cfdcbb145cb52d7.tar.gz