[PATCH] Set restrictive mount options
These are mostly copied from systemd, so should be pretty safe in terms of compatibility. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/initramfs/etc/fstab | 8 ++++---- host/initramfs/etc/init | 2 +- host/rootfs/image/etc/fstab | 12 ++++++------ img/app/image/etc/fstab | 12 ++++++------ img/app/image/etc/mdev/virtiofs | 2 +- img/app/image/etc/s6-rc/app/run | 4 ++-- img/app/scripts/start-virtiofsd.elb | 2 +- vm/app/systemd-sysupdate/download-update | 2 +- vm/sys/net/image/etc/fstab | 12 ++++++------ 9 files changed, 28 insertions(+), 28 deletions(-) diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab index 3dfb05ab..9f43a1a9 100644 --- a/host/initramfs/etc/fstab +++ b/host/initramfs/etc/fstab @@ -1,5 +1,5 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -devtmpfs /dev devtmpfs defaults 0 0 -proc /proc proc defaults 0 0 -sysfs /sys sysfs defaults 0 0 +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is> +devtmpfs /dev devtmpfs nosuid 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init index 71948874..723d2e1b 100755 --- a/host/initramfs/etc/init +++ b/host/initramfs/etc/init @@ -42,7 +42,7 @@ if { background { rm /dev/rootfs /dev/verity } -if { mount /dev/mapper/root-verity /mnt/root } +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root } wait { $mdevd_pid } if { mount --move /proc /mnt/root/proc } diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab index 6230d910..5c23a374 100644 --- a/host/rootfs/image/etc/fstab +++ b/host/rootfs/image/etc/fstab @@ -1,7 +1,7 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0 diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab index 2dd1f4d8..5f78ab87 100644 --- a/img/app/image/etc/fstab +++ b/img/app/image/etc/fstab @@ -1,8 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 # SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 -tmpfs /home/user tmpfs mode=0700,uid=1000,gid=1000 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0 +tmpfs /home/user tmpfs nodev,mode=0700,uid=1000,gid=1000 0 0 diff --git a/img/app/image/etc/mdev/virtiofs b/img/app/image/etc/mdev/virtiofs index c1fd2834..b6e505bc 100755 --- a/img/app/image/etc/mdev/virtiofs +++ b/img/app/image/etc/mdev/virtiofs @@ -7,6 +7,6 @@ background { # virtiofs filesystems, so we only supported a single, hardcoded # filesystem tag for now. if { mkdir -p /run/virtiofs/virtiofs0 } - if { mount -t virtiofs virtiofs0 /run/virtiofs/virtiofs0 } + if { mount -t virtiofs -o nodev virtiofs0 /run/virtiofs/virtiofs0 } /etc/mdev/listen virtiofs0 } diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run index 0ba1f374..997897de 100755 --- a/img/app/image/etc/s6-rc/app/run +++ b/img/app/image/etc/s6-rc/app/run @@ -17,7 +17,7 @@ foreground { if { modprobe loop } if { backtick -E offset { /run/virtiofs/virtiofs0/config/run --appimage-offset } - mount -o offset=${offset} /run/virtiofs/virtiofs0/config/run /mnt + mount -o offset=${offset},nodev /run/virtiofs/virtiofs0/config/run /mnt } s6-setuidgid user export APPIMAGE /run/virtiofs/virtiofs0/config/run @@ -42,7 +42,7 @@ foreground { nix { if { mount -t overlay - -o ro,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store + -o ro,nosuid,nodev,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store store /nix/store } diff --git a/img/app/scripts/start-virtiofsd.elb b/img/app/scripts/start-virtiofsd.elb index e4d265f0..cedce9ae 100755 --- a/img/app/scripts/start-virtiofsd.elb +++ b/img/app/scripts/start-virtiofsd.elb @@ -6,7 +6,7 @@ s6-ipcserver-socketbinder -B build/virtiofsd.sock background { if { mkdir -p build/fs } unshare -rUm - if { mount -t tmpfs fs build/fs } + if { mount -t tmpfs -o nosuid,nodev fs build/fs } if { mkdir build/fs/config } if { importas -Si CONFIG mount --rbind -- ${CONFIG}/fs build/fs/config } importas -SsD virtiofsd VIRTIOFSD diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update index facf7f52..b397f238 100755 --- a/vm/app/systemd-sysupdate/download-update +++ b/vm/app/systemd-sysupdate/download-update @@ -5,7 +5,7 @@ export LC_ALL C export LANGUAGE C unshare -mr -if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc } +if { mount -toverlay -o nosuid,nodev,lowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc } backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX } # Not a useless use of cat: if there are NUL bytes in the URL # busybox's awk might misbehave. diff --git a/vm/sys/net/image/etc/fstab b/vm/sys/net/image/etc/fstab index a0b62fa5..4c240544 100644 --- a/vm/sys/net/image/etc/fstab +++ b/vm/sys/net/image/etc/fstab @@ -1,8 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -bpffs /sys/fs/bpf bpf defaults 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +bpffs /sys/fs/bpf bpf nosuid,nodev,noexec,mode=700 0 0 base-commit: e32cdde75ef9ec554c1c40bba7f4a75dcaaa779f -- 2.51.0
On 12/11/25 07:48, Alyssa Ross wrote:
These are mostly copied from systemd, so should be pretty safe in terms of compatibility.
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/initramfs/etc/fstab | 8 ++++---- host/initramfs/etc/init | 2 +- host/rootfs/image/etc/fstab | 12 ++++++------ img/app/image/etc/fstab | 12 ++++++------ img/app/image/etc/mdev/virtiofs | 2 +- img/app/image/etc/s6-rc/app/run | 4 ++-- img/app/scripts/start-virtiofsd.elb | 2 +- vm/app/systemd-sysupdate/download-update | 2 +- vm/sys/net/image/etc/fstab | 12 ++++++------ 9 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab index 3dfb05ab..9f43a1a9 100644 --- a/host/initramfs/etc/fstab +++ b/host/initramfs/etc/fstab @@ -1,5 +1,5 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -devtmpfs /dev devtmpfs defaults 0 0 -proc /proc proc defaults 0 0 -sysfs /sys sysfs defaults 0 0 +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is> +devtmpfs /dev devtmpfs nosuid 0 0
Should this also be noexec? I don't think anything has any business executing something out of devtmpfs.
+proc /proc proc nosuid,nodev,noexec 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init index 71948874..723d2e1b 100755 --- a/host/initramfs/etc/init +++ b/host/initramfs/etc/init @@ -42,7 +42,7 @@ if {
background { rm /dev/rootfs /dev/verity }
-if { mount /dev/mapper/root-verity /mnt/root } +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root } wait { $mdevd_pid }
if { mount --move /proc /mnt/root/proc } diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab index 6230d910..5c23a374 100644 --- a/host/rootfs/image/etc/fstab +++ b/host/rootfs/image/etc/fstab @@ -1,7 +1,7 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0
Should this be noexec as well?
diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab index 2dd1f4d8..5f78ab87 100644 --- a/img/app/image/etc/fstab +++ b/img/app/image/etc/fstab @@ -1,8 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 # SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 -tmpfs /home/user tmpfs mode=0700,uid=1000,gid=1000 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0 +tmpfs /home/user tmpfs nodev,mode=0700,uid=1000,gid=1000 0 0 diff --git a/img/app/image/etc/mdev/virtiofs b/img/app/image/etc/mdev/virtiofs index c1fd2834..b6e505bc 100755 --- a/img/app/image/etc/mdev/virtiofs +++ b/img/app/image/etc/mdev/virtiofs @@ -7,6 +7,6 @@ background { # virtiofs filesystems, so we only supported a single, hardcoded # filesystem tag for now. if { mkdir -p /run/virtiofs/virtiofs0 } - if { mount -t virtiofs virtiofs0 /run/virtiofs/virtiofs0 } + if { mount -t virtiofs -o nodev virtiofs0 /run/virtiofs/virtiofs0 } /etc/mdev/listen virtiofs0 } diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run index 0ba1f374..997897de 100755 --- a/img/app/image/etc/s6-rc/app/run +++ b/img/app/image/etc/s6-rc/app/run @@ -17,7 +17,7 @@ foreground { if { modprobe loop } if { backtick -E offset { /run/virtiofs/virtiofs0/config/run --appimage-offset } - mount -o offset=${offset} /run/virtiofs/virtiofs0/config/run /mnt + mount -o offset=${offset},nodev /run/virtiofs/virtiofs0/config/run /mnt } s6-setuidgid user export APPIMAGE /run/virtiofs/virtiofs0/config/run @@ -42,7 +42,7 @@ foreground { nix { if { mount -t overlay - -o ro,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store + -o ro,nosuid,nodev,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store store /nix/store }
diff --git a/img/app/scripts/start-virtiofsd.elb b/img/app/scripts/start-virtiofsd.elb index e4d265f0..cedce9ae 100755 --- a/img/app/scripts/start-virtiofsd.elb +++ b/img/app/scripts/start-virtiofsd.elb @@ -6,7 +6,7 @@ s6-ipcserver-socketbinder -B build/virtiofsd.sock background { if { mkdir -p build/fs } unshare -rUm - if { mount -t tmpfs fs build/fs } + if { mount -t tmpfs -o nosuid,nodev fs build/fs } if { mkdir build/fs/config } if { importas -Si CONFIG mount --rbind -- ${CONFIG}/fs build/fs/config } importas -SsD virtiofsd VIRTIOFSD diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update index facf7f52..b397f238 100755 --- a/vm/app/systemd-sysupdate/download-update +++ b/vm/app/systemd-sysupdate/download-update @@ -5,7 +5,7 @@ export LC_ALL C export LANGUAGE C unshare -mr -if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc } +if { mount -toverlay -o nosuid,nodev,lowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
Feel free to add noexec and nosymfollow to this. Unless I am very much mistaken, the updater should be fine with both.
backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX } # Not a useless use of cat: if there are NUL bytes in the URL # busybox's awk might misbehave. diff --git a/vm/sys/net/image/etc/fstab b/vm/sys/net/image/etc/fstab index a0b62fa5..4c240544 100644 --- a/vm/sys/net/image/etc/fstab +++ b/vm/sys/net/image/etc/fstab @@ -1,8 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -bpffs /sys/fs/bpf bpf defaults 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +bpffs /sys/fs/bpf bpf nosuid,nodev,noexec,mode=700 0 0
base-commit: e32cdde75ef9ec554c1c40bba7f4a75dcaaa779f
There might be additional improvements that can be made, but those can come later, so: Acked-by: Demi Marie Obenour <demiobenour@gmail.com> with or without the suggested changes. -- Sincerely, Demi Marie Obenour (she/her/hers)
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/11/25 07:48, Alyssa Ross wrote:
These are mostly copied from systemd, so should be pretty safe in terms of compatibility.
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/initramfs/etc/fstab | 8 ++++---- host/initramfs/etc/init | 2 +- host/rootfs/image/etc/fstab | 12 ++++++------ img/app/image/etc/fstab | 12 ++++++------ img/app/image/etc/mdev/virtiofs | 2 +- img/app/image/etc/s6-rc/app/run | 4 ++-- img/app/scripts/start-virtiofsd.elb | 2 +- vm/app/systemd-sysupdate/download-update | 2 +- vm/sys/net/image/etc/fstab | 12 ++++++------ 9 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab index 3dfb05ab..9f43a1a9 100644 --- a/host/initramfs/etc/fstab +++ b/host/initramfs/etc/fstab @@ -1,5 +1,5 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -devtmpfs /dev devtmpfs defaults 0 0 -proc /proc proc defaults 0 0 -sysfs /sys sysfs defaults 0 0 +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is> +devtmpfs /dev devtmpfs nosuid 0 0
Should this also be noexec? I don't think anything has any business executing something out of devtmpfs.
+proc /proc proc nosuid,nodev,noexec 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init index 71948874..723d2e1b 100755 --- a/host/initramfs/etc/init +++ b/host/initramfs/etc/init @@ -42,7 +42,7 @@ if {
background { rm /dev/rootfs /dev/verity }
-if { mount /dev/mapper/root-verity /mnt/root } +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root } wait { $mdevd_pid }
if { mount --move /proc /mnt/root/proc } diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab index 6230d910..5c23a374 100644 --- a/host/rootfs/image/etc/fstab +++ b/host/rootfs/image/etc/fstab @@ -1,7 +1,7 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0
Should this be noexec as well?
diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab index 2dd1f4d8..5f78ab87 100644 --- a/img/app/image/etc/fstab +++ b/img/app/image/etc/fstab @@ -1,8 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 # SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 -tmpfs /home/user tmpfs mode=0700,uid=1000,gid=1000 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0 +tmpfs /home/user tmpfs nodev,mode=0700,uid=1000,gid=1000 0 0 diff --git a/img/app/image/etc/mdev/virtiofs b/img/app/image/etc/mdev/virtiofs index c1fd2834..b6e505bc 100755 --- a/img/app/image/etc/mdev/virtiofs +++ b/img/app/image/etc/mdev/virtiofs @@ -7,6 +7,6 @@ background { # virtiofs filesystems, so we only supported a single, hardcoded # filesystem tag for now. if { mkdir -p /run/virtiofs/virtiofs0 } - if { mount -t virtiofs virtiofs0 /run/virtiofs/virtiofs0 } + if { mount -t virtiofs -o nodev virtiofs0 /run/virtiofs/virtiofs0 } /etc/mdev/listen virtiofs0 } diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run index 0ba1f374..997897de 100755 --- a/img/app/image/etc/s6-rc/app/run +++ b/img/app/image/etc/s6-rc/app/run @@ -17,7 +17,7 @@ foreground { if { modprobe loop } if { backtick -E offset { /run/virtiofs/virtiofs0/config/run --appimage-offset } - mount -o offset=${offset} /run/virtiofs/virtiofs0/config/run /mnt + mount -o offset=${offset},nodev /run/virtiofs/virtiofs0/config/run /mnt } s6-setuidgid user export APPIMAGE /run/virtiofs/virtiofs0/config/run @@ -42,7 +42,7 @@ foreground { nix { if { mount -t overlay - -o ro,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store + -o ro,nosuid,nodev,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store store /nix/store }
diff --git a/img/app/scripts/start-virtiofsd.elb b/img/app/scripts/start-virtiofsd.elb index e4d265f0..cedce9ae 100755 --- a/img/app/scripts/start-virtiofsd.elb +++ b/img/app/scripts/start-virtiofsd.elb @@ -6,7 +6,7 @@ s6-ipcserver-socketbinder -B build/virtiofsd.sock background { if { mkdir -p build/fs } unshare -rUm - if { mount -t tmpfs fs build/fs } + if { mount -t tmpfs -o nosuid,nodev fs build/fs } if { mkdir build/fs/config } if { importas -Si CONFIG mount --rbind -- ${CONFIG}/fs build/fs/config } importas -SsD virtiofsd VIRTIOFSD diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update index facf7f52..b397f238 100755 --- a/vm/app/systemd-sysupdate/download-update +++ b/vm/app/systemd-sysupdate/download-update @@ -5,7 +5,7 @@ export LC_ALL C export LANGUAGE C unshare -mr -if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc } +if { mount -toverlay -o nosuid,nodev,lowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
Feel free to add noexec and nosymfollow to this. Unless I am very much mistaken, the updater should be fine with both.
backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX } # Not a useless use of cat: if there are NUL bytes in the URL # busybox's awk might misbehave. diff --git a/vm/sys/net/image/etc/fstab b/vm/sys/net/image/etc/fstab index a0b62fa5..4c240544 100644 --- a/vm/sys/net/image/etc/fstab +++ b/vm/sys/net/image/etc/fstab @@ -1,8 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -bpffs /sys/fs/bpf bpf defaults 0 0 +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +bpffs /sys/fs/bpf bpf nosuid,nodev,noexec,mode=700 0 0
base-commit: e32cdde75ef9ec554c1c40bba7f4a75dcaaa779f
There might be additional improvements that can be made, but those can come later, so:
Acked-by: Demi Marie Obenour <demiobenour@gmail.com>
with or without the suggested changes.
Alright, I'll test and commit this with the updater changes, and follow up separately on the others.
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/11/25 07:48, Alyssa Ross wrote:
These are mostly copied from systemd, so should be pretty safe in terms of compatibility.
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/initramfs/etc/fstab | 8 ++++---- host/initramfs/etc/init | 2 +- host/rootfs/image/etc/fstab | 12 ++++++------ img/app/image/etc/fstab | 12 ++++++------ img/app/image/etc/mdev/virtiofs | 2 +- img/app/image/etc/s6-rc/app/run | 4 ++-- img/app/scripts/start-virtiofsd.elb | 2 +- vm/app/systemd-sysupdate/download-update | 2 +- vm/sys/net/image/etc/fstab | 12 ++++++------ 9 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab index 3dfb05ab..9f43a1a9 100644 --- a/host/initramfs/etc/fstab +++ b/host/initramfs/etc/fstab @@ -1,5 +1,5 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -devtmpfs /dev devtmpfs defaults 0 0 -proc /proc proc defaults 0 0 -sysfs /sys sysfs defaults 0 0 +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is> +devtmpfs /dev devtmpfs nosuid 0 0
Should this also be noexec? I don't think anything has any business executing something out of devtmpfs.
+proc /proc proc nosuid,nodev,noexec 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init index 71948874..723d2e1b 100755 --- a/host/initramfs/etc/init +++ b/host/initramfs/etc/init @@ -42,7 +42,7 @@ if {
background { rm /dev/rootfs /dev/verity }
-if { mount /dev/mapper/root-verity /mnt/root } +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root } wait { $mdevd_pid }
if { mount --move /proc /mnt/root/proc } diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab index 6230d910..5c23a374 100644 --- a/host/rootfs/image/etc/fstab +++ b/host/rootfs/image/etc/fstab @@ -1,7 +1,7 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is> +proc /proc proc nosuid,nodev,noexec 0 0 +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 +sysfs /sys sysfs nosuid,nodev,noexec 0 0 +tmpfs /tmp tmpfs nosuid,nodev 0 0
Should this be noexec as well?
Here's systemd's rationale for /dev and /tmp not to be noexec: https://github.com/systemd/systemd/commit/4eb105fa4aae30566d23382e8c9430eddf... We could decide to be stricter, though. For /tmp and maybe /dev/shm as well I'm tempted to leave them unmounted and read-only by default, and only mount them inside namespaces for particular services that need them. That way we'd know which services were using them, and could decide on restrictive mount flags per-service, as well as deciding whether /tmp should be RAM- or disk-backed for each service.
This patch has been committed as 88d6d4676ee2c47d2ebee79a3527f65872956251, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=88d6d4676ee2c47d2ebee79a3527.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
participants (3)
-
Alyssa Ross -
Alyssa Ross -
Demi Marie Obenour