base-files: Mount debugfs and pstore with nosuid,nodev,noexec

These permissions are not needed. Systemd also mounts these file systems without these permissions on other Linux distributions. Dropping these permissions should make the system more secure. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Link: https://github.com/openwrt/openwrt/pull/16960 Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> (cherry picked from commit b88d51898d126d2f918cb476d4158e9fcd62492c) Link: https://github.com/openwrt/openwrt/pull/17097 Signed-off-by: Petr Štetiar <ynezz@true.cz>
2025-04-09 20:31:59 +00:00 · 2024-11-14 21:46:36 +01:00 · 2024-11-14 21:46:36 +01:00 · 7d4be068da
commit 7d4be068da
parent 71d60c6983
1 changed files with 2 additions and 2 deletions
--- a/package/base-files/files/etc/init.d/boot
+++ b/package/base-files/files/etc/init.d/boot
@ -35,9 +35,9 @@ boot() {
 	mkdir -p /tmp/resolv.conf.d
 	touch /tmp/resolv.conf.d/resolv.conf.auto
 	ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
-	grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug
+	grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
 	grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
-	grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore
+	grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
 	[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe

 	touch /tmp/.config_pending