shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00
Code

gpt-auto: harden ESP/XBOOTLDR mounts with "noexec,nosuid,nodev"

Browse Source 
When these partitions are probed by gpt-auto,
they will always be hardened with such options.

See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711

Closes #25776

(cherry picked from commit d708293d43)
(cherry picked from commit 49804cfb71)
This commit is contained in:
Mike Yuan 2023-01-16 14:57:24 +08:00 committed by Luca Boccassi
parent abcd25b66e
commit ebe67b6e88
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/gpt-auto-generator/gpt-auto-generator.c
View File

@ -469,14 +469,14 @@ static int add_automount(
static const char *esp_or_xbootldr_options(const DissectedPartition *p) {
assert(p);
/* if we probed vfat or have no idea about the file system then assume these file systems are vfat
* and thus understand "umask=0077". If we detected something else then don't specify any options and
* use kernel defaults. */
/* Discoveried ESP and XBOOTLDR partition are always hardened with "noexec,nosuid,nodev".
* If we probed vfat or have no idea about the file system then assume these file systems are vfat
* and thus understand "umask=0077". */
if (!p->fstype || streq(p->fstype, "vfat"))
return "umask=0077";
return "umask=0077,noexec,nosuid,nodev";
return NULL;
return "noexec,nosuid,nodev";
}
static int add_xbootldr(DissectedPartition *p) {