diff options
| author | Kees Cook <[email protected]> | 2021-12-22 17:50:20 +0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <[email protected]> | 2021-12-30 13:54:42 +0100 |
| commit | 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 (patch) | |
| tree | bedbed9cd81bfd3985845a7d57ae0ea6bc22ea2f /scripts/gdb/linux/genpd.py | |
| parent | 67aa58e8d4b07b436971326af6319258e0926f33 (diff) | |
devtmpfs: mount with noexec and nosuid
devtmpfs is writable. Add the noexec and nosuid as default mount flags
to prevent code execution from /dev. The systems who don't use systemd
and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
this patch. Other systems are fine with the udev solution.
No sane program should be relying on executing from /dev. So this patch
reduces the attack surface. It doesn't prevent any specific attack, but
it reduces the possibility that someone can use /dev as a place to put
executable code. Chrome OS has been carrying this patch for several
years. It seems trivial and simple solution to improve the protection of
/dev when CONFIG_DEVTMPFS_MOUNT=y.
Original patch:
https://lore.kernel.org/lkml/[email protected]/
Cc: [email protected]
Cc: Kay Sievers <[email protected]>
Cc: Roland Eggner <[email protected]>
Co-developed-by: Muhammad Usama Anjum <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Muhammad Usama Anjum <[email protected]>
Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Diffstat (limited to 'scripts/gdb/linux/genpd.py')
0 files changed, 0 insertions, 0 deletions