Skip to content

Commit

Permalink
add noexec,nosuid,nodev mount options to certain tmpfs mounts to ensure
Browse files Browse the repository at this point in the history 
they are more safe to being misused. Also changed inittab to not
directly mount but respect fstab settings/options.
  • Loading branch information
@jens-maus
jens-maus committed Oct 6, 2024
1 parent 68ffd92 commit a7713a4
Show file tree
Hide file tree
Showing 9 changed files with 44 additions and 44 deletions.
6 changes: 3 additions & 3 deletions buildroot-external/overlay/base-raspmatic/etc/inittab
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@
# process == program to run

# Init the system
tty2::sysinit:/bin/mount -t proc proc /proc
tty2::sysinit:/bin/mount -t sysfs sysfs /sys
tty2::sysinit:/bin/mount -t tmpfs tmpfs /tmp
tty2::sysinit:/bin/mount /proc
tty2::sysinit:/bin/mount /sys
tty2::sysinit:/bin/mount /tmp
tty2::sysinit:/bin/mkdir -p /dev/pts /dev/shm

# run any rc scripts (start) and move boot.log
Expand Down
8 changes: 4 additions & 4 deletions buildroot-external/overlay/base-raspmatic_lxc/etc/fstab
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# /etc/fstab: static file system information.
#
# <file system> <mount pt> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs mode=1777 0 0
tmpfs /var tmpfs defaults,noatime,size=50% 0 0
tmpfs /media tmpfs defaults,noatime 0 0
# <file system> <mount pt> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0
tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0
2 changes: 1 addition & 1 deletion buildroot-external/overlay/base-raspmatic_lxc/etc/inittab
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# process == program to run

# Init the system
tty1::sysinit:/bin/mount -t tmpfs tmpfs /tmp
tty1::sysinit:/bin/mount /tmp

# run any rc scripts (start) and move boot.log
tty1::sysinit:/etc/init.d/rcS 2>&1 | /usr/bin/tee -a /tmp/boot.log
Expand Down
8 changes: 4 additions & 4 deletions buildroot-external/overlay/base-raspmatic_oci/etc/fstab
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# /etc/fstab: static file system information.
#
# <file system> <mount pt> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs mode=1777 0 0
tmpfs /var tmpfs defaults,noatime,size=50% 0 0
tmpfs /media tmpfs defaults,noatime 0 0
# <file system> <mount pt> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0
tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0
2 changes: 1 addition & 1 deletion buildroot-external/overlay/base-raspmatic_oci/etc/inittab
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
null::sysinit:/bin/mkdir -p /dev_host
#Bug in Kubernetes -> sys is mounted RO even for privileged -> https://github.com/kubernetes/kubernetes/pull/96877
null::sysinit:/bin/mount -o rw,remount /sys
null::sysinit:/bin/mount -t tmpfs tmpfs /tmp
null::sysinit:/bin/mount /tmp

# run any rc scripts (start) and move boot.log
::sysinit:/etc/init.d/rcS 2>&1 | /usr/bin/tee -a /tmp/boot.log
Expand Down
24 changes: 12 additions & 12 deletions buildroot-external/overlay/base/etc/fstab
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# /etc/fstab: static file system information.
#
# <file system> <mount pt> <type> <options> <dump> <pass>
/dev/root / auto ro,noauto,noatime,nodiratime 0 1
proc /proc proc defaults 0 0
devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0
tmpfs /dev/shm tmpfs mode=1777 0 0
tmpfs /tmp tmpfs mode=1777 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /var tmpfs defaults,noatime,size=50% 0 0
tmpfs /media tmpfs defaults,noatime 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
LABEL=userfs /usr/local auto defaults,noatime,nodiratime,rw,nofail,commit=30 0 2
LABEL=bootfs /boot vfat defaults,ro 0 0
# <file system> <mount pt> <type> <options> <dump> <pass>
/dev/root / auto ro,noauto,noatime,nodiratime 0 1
proc /proc proc defaults 0 0
devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0
tmpfs /dev/shm tmpfs mode=1777,noexec,nosuid,nodev 0 0
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0
tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
LABEL=userfs /usr/local auto defaults,rw,noatime,nodiratime,nofail,commit=30 0 2
LABEL=bootfs /boot vfat defaults,ro 0 0
6 changes: 3 additions & 3 deletions buildroot-external/overlay/base/etc/inittab
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@
# process == program to run

# Init the system
tty2::sysinit:/bin/mount -t proc proc /proc
tty2::sysinit:/bin/mount -t sysfs sysfs /sys
tty2::sysinit:/bin/mount -t tmpfs tmpfs /tmp
tty2::sysinit:/bin/mount /proc
tty2::sysinit:/bin/mount /sys
tty2::sysinit:/bin/mount /tmp
tty2::sysinit:/bin/mkdir -p /dev/pts /dev/shm

# run any rc scripts (start) and move boot.log
Expand Down
28 changes: 14 additions & 14 deletions buildroot-external/package/recovery-system/external/overlay/base/etc/fstab
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# /etc/fstab: static file system information.
#
# <file system> <mount pt> <type> <options> <dump> <pass>
/dev/root / auto ro,noauto 0 1
proc /proc proc defaults 0 0
devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0
tmpfs /dev/shm tmpfs mode=1777 0 0
tmpfs /tmp tmpfs mode=1777 0 0
tmpfs /run tmpfs defaults,noatime,mode=0755,nosuid,nodev 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /var tmpfs defaults,noatime,size=50% 0 0
tmpfs /media tmpfs defaults,noatime 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
LABEL=rootfs /rootfs auto defaults,noatime,nodiratime,ro,nofail 0 2
LABEL=userfs /userfs auto defaults,noatime,nodiratime,ro,nofail 0 2
LABEL=bootfs /bootfs vfat defaults,ro 0 0
# <file system> <mount pt> <type> <options> <dump> <pass>
/dev/root / auto ro,noauto 0 1
proc /proc proc defaults 0 0
devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0
tmpfs /dev/shm tmpfs mode=1777,noexec,nosuid,nodev 0 0
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
tmpfs /run tmpfs defaults,noatime,mode=0755,nosuid,nodev 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /var tmpfs defaults,noatime,noexec,nosuid,nodev,size=50% 0 0
tmpfs /media tmpfs defaults,noatime,noexec,nosuid,nodev 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
LABEL=rootfs /rootfs auto defaults,ro,noatime,nodiratime,nofail 0 2
LABEL=userfs /userfs auto defaults,ro,noatime,nodiratime,nofail 0 2
LABEL=bootfs /bootfs vfat defaults,ro 0 0
4 changes: 2 additions & 2 deletions buildroot-external/package/recovery-system/external/overlay/base/etc/inittab
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@
# process == program to run

# Startup the system
tty2::sysinit:/bin/mount -t proc proc /proc
tty2::sysinit:/bin/mount -t sysfs sysfs /sys
tty2::sysinit:/bin/mount /proc
tty2::sysinit:/bin/mount /sys
tty2::sysinit:/bin/mkdir -p /dev/pts /dev/shm
tty2::sysinit:/sbin/fsck -A -R -p
tty2::sysinit:/bin/mount -a
Expand Down

0 comments on commit a7713a4

Please sign in to comment.