openwrt/package/base-files/files/etc/init.d/boot
Hauke Mehrtens b88d51898d
base-files: Mount debugfs and pstore with nosuid,nodev,noexec
These permissions are not needed. Systemd also mounts these file systems
without these permissions on other Linux distributions.

Dropping these permissions should make the system more secure.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16960
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-11-16 14:23:08 +01:00

62 lines
1.5 KiB
Bash
Executable File

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org
START=10
STOP=90
uci_apply_defaults() {
. /lib/functions/system.sh
cd /etc/uci-defaults || return 0
files="$(ls)"
[ -z "$files" ] && return 0
for file in $files; do
( . "./$(basename $file)" ) && rm -f "$file"
done
uci commit
}
boot() {
[ -f /proc/mounts ] || /sbin/mount_root
[ -f /proc/jffs2_bbc ] && echo "S" > /proc/jffs2_bbc
mkdir -p /var/lock
chmod 1777 /var/lock
mkdir -p /var/log
mkdir -p /var/run
ln -s /var/run /run
ln -s /var/lock /run/lock
mkdir -p /var/state
mkdir -p /var/tmp
mkdir -p /tmp/.uci
chmod 0700 /tmp/.uci
touch /var/log/wtmp
touch /var/log/lastlog
mkdir -p /tmp/resolv.conf.d
touch /tmp/resolv.conf.d/resolv.conf.auto
ln -sf /tmp/resolv.conf.d/resolv.conf.auto /tmp/resolv.conf
grep -q debugfs /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
grep -q bpf /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime,mode=0700 -t bpf bpffs /sys/fs/bpf
grep -q pstore /proc/filesystems && /bin/mount -o nosuid,nodev,noexec,noatime -t pstore pstore /sys/fs/pstore
[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
touch /tmp/.config_pending
/sbin/kmodloader
[ ! -f /etc/config/wireless ] && {
# compat for bcm47xx and mvebu
sleep 1
}
mkdir -p /tmp/.uci
[ -f /etc/uci-defaults/30_uboot-envtools ] && (. /etc/uci-defaults/30_uboot-envtools)
/bin/config_generate
rm -f /tmp/.config_pending
/sbin/wifi config
uci_apply_defaults
sync
# temporary hack until configd exists
/sbin/reload_config
}