base-files: Mount debugfs and pstore with nosuid,nodev,noexec

These permissions are not needed. Systemd also mounts these file systems
without these permissions on other Linux distributions.

Dropping these permissions should make the system more secure.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16960
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This commit is contained in:
Hauke Mehrtens 2024-11-14 21:46:36 +01:00 committed by Christian Marangi
parent 3b710375dd
commit b88d51898d
No known key found for this signature in database
GPG Key ID: AC001D09ADBFEAD7

View File

@ -35,9 +35,9 @@ boot() {
mkdir -p /tmp/resolv.conf.d mkdir -p /tmp/resolv.conf.d
touch /tmp/resolv.conf.d/resolv.conf.auto touch /tmp/resolv.conf.d/resolv.conf.auto
ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
grep -q debugfs /proc/filesystems && /bin/mount -o noatime -t debugfs debugfs /sys/kernel/debug grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
grep -q pstore /proc/filesystems && /bin/mount -o noatime -t pstore pstore /sys/fs/pstore grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe [ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
touch /tmp/.config_pending touch /tmp/.config_pending