From a7713a477990ff067e5bd92706aa707137c3a965 Mon Sep 17 00:00:00 2001 From: Jens Maus Date: Sun, 6 Oct 2024 13:44:53 +0200 Subject: [PATCH] add noexec,nosuid,nodev mount options to certain tmpfs mounts to ensure they are more safe to being misused. Also changed inittab to not directly mount but respect fstab settings/options. --- .../overlay/base-raspmatic/etc/inittab | 6 ++-- .../overlay/base-raspmatic_lxc/etc/fstab | 8 +++--- .../overlay/base-raspmatic_lxc/etc/inittab | 2 +- .../overlay/base-raspmatic_oci/etc/fstab | 8 +++--- .../overlay/base-raspmatic_oci/etc/inittab | 2 +- buildroot-external/overlay/base/etc/fstab | 24 ++++++++-------- buildroot-external/overlay/base/etc/inittab | 6 ++-- .../external/overlay/base/etc/fstab | 28 +++++++++---------- .../external/overlay/base/etc/inittab | 4 +-- 9 files changed, 44 insertions(+), 44 deletions(-) diff --git a/buildroot-external/overlay/base-raspmatic/etc/inittab b/buildroot-external/overlay/base-raspmatic/etc/inittab index 3a9ba02e82..8f644c1d2b 100644 --- a/buildroot-external/overlay/base-raspmatic/etc/inittab +++ b/buildroot-external/overlay/base-raspmatic/etc/inittab @@ -14,9 +14,9 @@ # process == program to run # Init the system -tty2::sysinit:/bin/mount -t proc proc /proc -tty2::sysinit:/bin/mount -t sysfs sysfs /sys -tty2::sysinit:/bin/mount -t tmpfs tmpfs /tmp +tty2::sysinit:/bin/mount /proc +tty2::sysinit:/bin/mount /sys +tty2::sysinit:/bin/mount /tmp tty2::sysinit:/bin/mkdir -p /dev/pts /dev/shm # run any rc scripts (start) and move boot.log diff --git a/buildroot-external/overlay/base-raspmatic_lxc/etc/fstab b/buildroot-external/overlay/base-raspmatic_lxc/etc/fstab index 1701fa9e41..a4c66a7716 100644 --- a/buildroot-external/overlay/base-raspmatic_lxc/etc/fstab +++ b/buildroot-external/overlay/base-raspmatic_lxc/etc/fstab @@ -1,6 +1,6 @@ # /etc/fstab: static file system information. # -# -tmpfs /tmp tmpfs mode=1777 0 0 -tmpfs /var tmpfs defaults,noatime,size=50% 0 0 -tmpfs /media tmpfs defaults,noatime 0 0 +# +tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0 +tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0 +tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0 diff --git a/buildroot-external/overlay/base-raspmatic_lxc/etc/inittab b/buildroot-external/overlay/base-raspmatic_lxc/etc/inittab index 93187a981f..0cee3a4f94 100644 --- a/buildroot-external/overlay/base-raspmatic_lxc/etc/inittab +++ b/buildroot-external/overlay/base-raspmatic_lxc/etc/inittab @@ -14,7 +14,7 @@ # process == program to run # Init the system -tty1::sysinit:/bin/mount -t tmpfs tmpfs /tmp +tty1::sysinit:/bin/mount /tmp # run any rc scripts (start) and move boot.log tty1::sysinit:/etc/init.d/rcS 2>&1 | /usr/bin/tee -a /tmp/boot.log diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/fstab b/buildroot-external/overlay/base-raspmatic_oci/etc/fstab index 1701fa9e41..a4c66a7716 100644 --- a/buildroot-external/overlay/base-raspmatic_oci/etc/fstab +++ b/buildroot-external/overlay/base-raspmatic_oci/etc/fstab @@ -1,6 +1,6 @@ # /etc/fstab: static file system information. # -# -tmpfs /tmp tmpfs mode=1777 0 0 -tmpfs /var tmpfs defaults,noatime,size=50% 0 0 -tmpfs /media tmpfs defaults,noatime 0 0 +# +tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0 +tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0 +tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0 diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/inittab b/buildroot-external/overlay/base-raspmatic_oci/etc/inittab index 8a0a25c6a9..341141044b 100644 --- a/buildroot-external/overlay/base-raspmatic_oci/etc/inittab +++ b/buildroot-external/overlay/base-raspmatic_oci/etc/inittab @@ -17,7 +17,7 @@ null::sysinit:/bin/mkdir -p /dev_host #Bug in Kubernetes -> sys is mounted RO even for privileged -> https://github.com/kubernetes/kubernetes/pull/96877 null::sysinit:/bin/mount -o rw,remount /sys -null::sysinit:/bin/mount -t tmpfs tmpfs /tmp +null::sysinit:/bin/mount /tmp # run any rc scripts (start) and move boot.log ::sysinit:/etc/init.d/rcS 2>&1 | /usr/bin/tee -a /tmp/boot.log diff --git a/buildroot-external/overlay/base/etc/fstab b/buildroot-external/overlay/base/etc/fstab index 1a79baca25..f808af371a 100644 --- a/buildroot-external/overlay/base/etc/fstab +++ b/buildroot-external/overlay/base/etc/fstab @@ -1,14 +1,14 @@ # /etc/fstab: static file system information. # -# -/dev/root / auto ro,noauto,noatime,nodiratime 0 1 -proc /proc proc defaults 0 0 -devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0 -tmpfs /dev/shm tmpfs mode=1777 0 0 -tmpfs /tmp tmpfs mode=1777 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /var tmpfs defaults,noatime,size=50% 0 0 -tmpfs /media tmpfs defaults,noatime 0 0 -debugfs /sys/kernel/debug debugfs noauto 0 0 -LABEL=userfs /usr/local auto defaults,noatime,nodiratime,rw,nofail,commit=30 0 2 -LABEL=bootfs /boot vfat defaults,ro 0 0 +# +/dev/root / auto ro,noauto,noatime,nodiratime 0 1 +proc /proc proc defaults 0 0 +devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0 +tmpfs /dev/shm tmpfs mode=1777,noexec,nosuid,nodev 0 0 +tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0 +sysfs /sys sysfs defaults 0 0 +tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0 +tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0 +debugfs /sys/kernel/debug debugfs noauto 0 0 +LABEL=userfs /usr/local auto defaults,rw,noatime,nodiratime,nofail,commit=30 0 2 +LABEL=bootfs /boot vfat defaults,ro 0 0 diff --git a/buildroot-external/overlay/base/etc/inittab b/buildroot-external/overlay/base/etc/inittab index f29c2f6251..f437a899c5 100644 --- a/buildroot-external/overlay/base/etc/inittab +++ b/buildroot-external/overlay/base/etc/inittab @@ -14,9 +14,9 @@ # process == program to run # Init the system -tty2::sysinit:/bin/mount -t proc proc /proc -tty2::sysinit:/bin/mount -t sysfs sysfs /sys -tty2::sysinit:/bin/mount -t tmpfs tmpfs /tmp +tty2::sysinit:/bin/mount /proc +tty2::sysinit:/bin/mount /sys +tty2::sysinit:/bin/mount /tmp tty2::sysinit:/bin/mkdir -p /dev/pts /dev/shm # run any rc scripts (start) and move boot.log diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/fstab b/buildroot-external/package/recovery-system/external/overlay/base/etc/fstab index 3f703de527..2a7dc7e63b 100644 --- a/buildroot-external/package/recovery-system/external/overlay/base/etc/fstab +++ b/buildroot-external/package/recovery-system/external/overlay/base/etc/fstab @@ -1,16 +1,16 @@ # /etc/fstab: static file system information. # -# -/dev/root / auto ro,noauto 0 1 -proc /proc proc defaults 0 0 -devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0 -tmpfs /dev/shm tmpfs mode=1777 0 0 -tmpfs /tmp tmpfs mode=1777 0 0 -tmpfs /run tmpfs defaults,noatime,mode=0755,nosuid,nodev 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /var tmpfs defaults,noatime,size=50% 0 0 -tmpfs /media tmpfs defaults,noatime 0 0 -debugfs /sys/kernel/debug debugfs noauto 0 0 -LABEL=rootfs /rootfs auto defaults,noatime,nodiratime,ro,nofail 0 2 -LABEL=userfs /userfs auto defaults,noatime,nodiratime,ro,nofail 0 2 -LABEL=bootfs /bootfs vfat defaults,ro 0 0 +# +/dev/root / auto ro,noauto 0 1 +proc /proc proc defaults 0 0 +devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0 +tmpfs /dev/shm tmpfs mode=1777,noexec,nosuid,nodev 0 0 +tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0 +tmpfs /run tmpfs defaults,noatime,mode=0755,nosuid,nodev 0 0 +sysfs /sys sysfs defaults 0 0 +tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0 +tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0 +debugfs /sys/kernel/debug debugfs noauto 0 0 +LABEL=rootfs /rootfs auto defaults,ro,noatime,nodiratime,nofail 0 2 +LABEL=userfs /userfs auto defaults,ro,noatime,nodiratime,nofail 0 2 +LABEL=bootfs /bootfs vfat defaults,ro 0 0 diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/inittab b/buildroot-external/package/recovery-system/external/overlay/base/etc/inittab index 33f7a2dfc0..e29b13ad09 100644 --- a/buildroot-external/package/recovery-system/external/overlay/base/etc/inittab +++ b/buildroot-external/package/recovery-system/external/overlay/base/etc/inittab @@ -14,8 +14,8 @@ # process == program to run # Startup the system -tty2::sysinit:/bin/mount -t proc proc /proc -tty2::sysinit:/bin/mount -t sysfs sysfs /sys +tty2::sysinit:/bin/mount /proc +tty2::sysinit:/bin/mount /sys tty2::sysinit:/bin/mkdir -p /dev/pts /dev/shm tty2::sysinit:/sbin/fsck -A -R -p tty2::sysinit:/bin/mount -a