Commit 28f0c335 authored by Kees Cook's avatar Kees Cook Committed by Greg Kroah-Hartman
Browse files

devtmpfs: mount with noexec and nosuid 

devtmpfs is writable. Add the noexec and nosuid as default mount flags
to prevent code execution from /dev. The systems who don't use systemd
and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
this patch. Other systems are fine with the udev solution.

No sane program should be relying on executing from /dev. So this patch
reduces the attack surface. It doesn't prevent any specific attack, but
it reduces the possibility that someone can use /dev as a place to put
executable code. Chrome OS has been carrying this patch for several
years. It seems trivial and simple solution to improve the protection of
/dev when CONFIG_DEVTMPFS_MOUNT=y.

Original patch:
https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/



Cc: ellyjones@chromium.org
Cc: Kay Sievers <kay@vrfy.org>
Cc: Roland Eggner <edvx1@systemanalysen.net>
Co-developed-by: default avatarMuhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarMuhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 67aa58e8

drivers/base/Kconfig

+11 −0
Original line number Diff line number Diff line
@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT 
	  rescue mode with init=/bin/sh, even when the /dev directory

	  on the rootfs is completely empty.



config DEVTMPFS_SAFE

	bool "Use nosuid,noexec mount options on devtmpfs"

	depends on DEVTMPFS

	help

	  This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount

	  flags when mounting devtmpfs.



	  Notice: If enabled, things like /dev/mem cannot be mmapped

	  with the PROT_EXEC flag. This can break, for example, non-KMS

	  video drivers.



config STANDALONE

	bool "Select only drivers that don't need compile-time external firmware"

	default y

drivers/base/devtmpfs.c

+8 −2
Original line number Diff line number Diff line
@@ -29,6 +29,12 @@ 
#include <uapi/linux/mount.h>

#include "base.h"



#ifdef CONFIG_DEVTMPFS_SAFE

#define DEVTMPFS_MFLAGS       (MS_SILENT | MS_NOEXEC | MS_NOSUID)

#else

#define DEVTMPFS_MFLAGS       (MS_SILENT)

#endif



static struct task_struct *thread;



static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void) 
	if (!thread)

		return 0;



	err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);

	err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);

	if (err)

		printk(KERN_INFO "devtmpfs: error mounting %i\n", err);

	else
@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p) 
	err = ksys_unshare(CLONE_NEWNS);

	if (err)

		goto out;

	err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);

	err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);

	if (err)

		goto out;

	init_chdir("/.."); /* will traverse into overmounted root */