ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
Source Code
GIT

Blame 0056-nspawn-add-nosuid-and-nodev-to-tmp-mount-6004.patch

34851-backport c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale udev-fix-maybe
  1.   1d06cbf3d480808f78e5a211bafce591873fbc84
  2.   0056-nspawn-add-nosuid-and-nodev-to-tmp-mount-6004.patch
Blob History Raw
Zbigniew Jędrzejewski-Szmek f4a676 
From 2d148f574c5c1e8bf7bf7da964e0f063395d42c8 Mon Sep 17 00:00:00 2001
Zbigniew Jędrzejewski-Szmek f4a676 
From: tomty89 <tom.ty89@gmail.com>
Zbigniew Jędrzejewski-Szmek f4a676 
Date: Tue, 23 May 2017 15:41:36 +0800
Zbigniew Jędrzejewski-Szmek f4a676 
Subject: [PATCH] nspawn: add nosuid and nodev to /tmp mount (#6004)
Zbigniew Jędrzejewski-Szmek f4a676
Zbigniew Jędrzejewski-Szmek f4a676 
When automatic /tmp mount was introduced to nspawn in v219, it was done without having the nosuid and nodev mount options, which was the same case as systemd's default tmp.mount unit back then.
Zbigniew Jędrzejewski-Szmek f4a676
Zbigniew Jędrzejewski-Szmek f4a676 
nosuid and nodev was added to tmp.mount(.m4) in v231 for security reasons. matching the nspawn /tmp mount entry against that.
Zbigniew Jędrzejewski-Szmek f4a676
Zbigniew Jędrzejewski-Szmek f4a676 
Ref.:
Zbigniew Jędrzejewski-Szmek f4a676 
https://github.com/systemd/systemd/commit/2f9df7c96a25adb42093ee3ee201577f3e01da42
Zbigniew Jędrzejewski-Szmek f4a676 
https://github.com/systemd/systemd/commit/bbb99c30d01a8bcdc27fb151cc6376a7877a6b07
Zbigniew Jędrzejewski-Szmek f4a676 
(cherry picked from commit e8a94ce83ebc5e5fa0dd312d8340d589506528f9)
Zbigniew Jędrzejewski-Szmek f4a676 
---
Zbigniew Jędrzejewski-Szmek f4a676 
 src/nspawn/nspawn-mount.c | 2 +-
Zbigniew Jędrzejewski-Szmek f4a676 
 1 file changed, 1 insertion(+), 1 deletion(-)
Zbigniew Jędrzejewski-Szmek f4a676
Zbigniew Jędrzejewski-Szmek f4a676 
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
Zbigniew Jędrzejewski-Szmek f4a676 
index d276994120..ac7290732e 100644
Zbigniew Jędrzejewski-Szmek f4a676 
--- a/src/nspawn/nspawn-mount.c
Zbigniew Jędrzejewski-Szmek f4a676 
+++ b/src/nspawn/nspawn-mount.c
Zbigniew Jędrzejewski-Szmek f4a676 
@@ -552,7 +552,7 @@ int mount_all(const char *dest,
Zbigniew Jędrzejewski-Szmek f4a676 
                 { NULL,                  "/proc/sysrq-trigger", NULL,    NULL,        MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,             MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO },                          /* ... then, make it r/o */
Zbigniew Jędrzejewski-Szmek f4a676
Zbigniew Jędrzejewski-Szmek f4a676 
                 /* outer child mounts */
Zbigniew Jędrzejewski-Szmek f4a676 
-                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            MOUNT_FATAL },
Zbigniew Jędrzejewski-Szmek f4a676 
+                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,                                            MOUNT_FATAL },
Zbigniew Jędrzejewski-Szmek f4a676 
                 { "tmpfs",               "/sys",                "tmpfs", "mode=755",  MS_NOSUID|MS_NOEXEC|MS_NODEV,                              MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
Zbigniew Jędrzejewski-Szmek f4a676 
                 { "sysfs",               "/sys",                "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,                    MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO },    /* skipped if above was mounted */
Zbigniew Jędrzejewski-Szmek f4a676 
                 { "sysfs",               "/sys",                "sysfs", NULL,                  MS_NOSUID|MS_NOEXEC|MS_NODEV,                    MOUNT_FATAL },                          /* skipped if above was mounted */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation