shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-21 13:58:00 +03:00
Code

gpt-auto: harden ESP/XBOOTLDR mounts with "noexec,nosuid,nodev"

Browse Source 
When these partitions are probed by gpt-auto,
they will always be hardened with such options.

See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711

Closes #25776
This commit is contained in:
Mike Yuan 2023-01-16 14:57:24 +08:00 committed by Lennart Poettering
parent 4b2e6892cb
commit d708293d43
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/gpt-auto-generator/gpt-auto-generator.c
View File

@ -424,14 +424,14 @@ static int add_automount(
static const char *esp_or_xbootldr_options(const DissectedPartition *p) { static const char *esp_or_xbootldr_options(const DissectedPartition *p) {
assert(p); assert(p);
/* if we probed vfat or have no idea about the file system then assume these file systems are vfat /* Discoveried ESP and XBOOTLDR partition are always hardened with "noexec,nosuid,nodev".
* and thus understand "umask=0077". If we detected something else then don't specify any options and * If we probed vfat or have no idea about the file system then assume these file systems are vfat
* use kernel defaults. */ * and thus understand "umask=0077". */
if (!p->fstype || streq(p->fstype, "vfat")) if (!p->fstype || streq(p->fstype, "vfat"))
return "umask=0077"; return "umask=0077,noexec,nosuid,nodev";
return NULL; return "noexec,nosuid,nodev";
} }
static int add_partition_xbootldr(DissectedPartition *p) { static int add_partition_xbootldr(DissectedPartition *p) {