From patchwork Sat Sep 19 19:20:45 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Etienne Champetier X-Patchwork-Id: 519775 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id C89CA1401CD for ; Sun, 20 Sep 2015 05:21:11 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=cLdfKxuZ; dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id B90AB28C014; Sat, 19 Sep 2015 21:19:46 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 63519283FE9 for ; Sat, 19 Sep 2015 21:19:42 +0200 (CEST) X-policyd-weight: using cached result; rate: -8.5 Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Sat, 19 Sep 2015 21:19:42 +0200 (CEST) Received: by wicge5 with SMTP id ge5so69405374wic.0 for ; Sat, 19 Sep 2015 12:20:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=CgpRhAzgjtp0lyWLjFgoD3Ng3NpwnvkiXg/LqXash2E=; b=cLdfKxuZnjRLXK7idf7+MZLyBeB9+z4U3TnVdIfTMPH15rf4Opxwh4lL3f0TyTsXgS Z1MitJvnr7fJv1U6xGzSnkpWA6WNiucWoIhBvv/pdyGYt6uOCZ1MxS6XtvPSP6MsGOgN GgooX1Pk9EiM9/EOT6Wtk1hmKl6Obh5TfEWKBQS8Kzgx7DTVWiBnYb+puwb9zQUYwZQ8 QtUQP7u+cJypyYsbNdWpTHbdTe9UUU5KV8Ir0GN1vdd8SLF/43Ea2KfyGP0mwDy8oGRJ T7sdJnBlsNskTQAHbuOULAczeoXxRxIql7vH/q2xR92JnJi1PGK3WQsCMNUuMrgqXoSi dp4g== X-Received: by 10.194.93.229 with SMTP id cx5mr13683758wjb.62.1442690454943; Sat, 19 Sep 2015 12:20:54 -0700 (PDT) Received: from ubuntu1404.lxcnattst (ns623510.ovh.net. [5.135.134.9]) by smtp.gmail.com with ESMTPSA id r4sm4647705wia.19.2015.09.19.12.20.53 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 19 Sep 2015 12:20:53 -0700 (PDT) From: Etienne CHAMPETIER To: openwrt-devel@lists.openwrt.org Date: Sat, 19 Sep 2015 19:20:45 +0000 Message-Id: <1442690445-29345-1-git-send-email-champetier.etienne@gmail.com> X-Mailer: git-send-email 1.9.1 Subject: [OpenWrt-Devel] [PATCH procd] Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where needed X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" These options aren't mandatory, but can prevent some future bugs from being exploited. Good reading: http://lwn.net/Articles/647757/ Value chosen by looking at fedora 22 / ubuntu 14.04 Not tested yet (away from my tests routers) Not touching jail/jail.c as this conflict with my pending patch serie Signed-off-by: Etienne CHAMPETIER --- initd/early.c | 12 ++++++------ plug/coldplug.c | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/initd/early.c b/initd/early.c index 89c8104..f410256 100644 --- a/initd/early.c +++ b/initd/early.c @@ -62,18 +62,18 @@ early_mounts(void) { unsigned int oldumask = umask(0); - mount("proc", "/proc", "proc", MS_NOATIME, 0); - mount("sysfs", "/sys", "sysfs", MS_NOATIME, 0); - mount("none", "/sys/fs/cgroup", "cgroup", 0, 0); - mount("tmpfs", "/dev", "tmpfs", MS_NOATIME, "mode=0755,size=512K"); + mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0); + mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0); + mount("cgroup", "/sys/fs/cgroup", "cgroup", MS_NODEV | MS_NOEXEC | MS_NOSUID, 0); + mount("tmpfs", "/dev", "tmpfs", MS_NOATIME | MS_NOSUID, "mode=0755,size=512K"); symlink("/tmp/shm", "/dev/shm"); mkdir("/dev/pts", 0755); - mount("devpts", "/dev/pts", "devpts", MS_NOATIME, "mode=600"); + mount("devpts", "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, "mode=600"); early_dev(); early_console("/dev/console"); if (mount_zram_on_tmp()) { - mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOATIME, NULL); + mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOATIME, 0); mkdir("/tmp/shm", 01777); } else { mkdir("/tmp/shm", 01777); diff --git a/plug/coldplug.c b/plug/coldplug.c index bfd3513..123e17d 100644 --- a/plug/coldplug.c +++ b/plug/coldplug.c @@ -44,11 +44,11 @@ void procd_coldplug(void) umount2("/dev/pts", MNT_DETACH); umount2("/dev/", MNT_DETACH); - mount("tmpfs", "/dev", "tmpfs", 0, "mode=0755,size=512K"); + mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755,size=512K"); symlink("/tmp/shm", "/dev/shm"); mkdir("/dev/pts", 0755); umask(oldumask); - mount("devpts", "/dev/pts", "devpts", 0, 0); + mount("devpts", "/dev/pts", "devpts", MS_NOEXEC | MS_NOSUID, 0); udevtrigger.cb = udevtrigger_complete; udevtrigger.pid = fork(); if (!udevtrigger.pid) {