From ebe67b6e885f2f8d0b9a9b72da9d7ce9b6f18b92 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Mon, 16 Jan 2023 14:57:24 +0800 Subject: [PATCH] gpt-auto: harden ESP/XBOOTLDR mounts with "noexec,nosuid,nodev" When these partitions are probed by gpt-auto, they will always be hardened with such options. See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711 Closes #25776 (cherry picked from commit d708293d436516823e0e4bfb02c54365820fd8c6) (cherry picked from commit 49804cfb71d3a79f433096e4cfb5616980171336) --- src/gpt-auto-generator/gpt-auto-generator.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index 589a2cc582..eb31966ac7 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -469,14 +469,14 @@ static int add_automount( static const char *esp_or_xbootldr_options(const DissectedPartition *p) { assert(p); - /* if we probed vfat or have no idea about the file system then assume these file systems are vfat - * and thus understand "umask=0077". If we detected something else then don't specify any options and - * use kernel defaults. */ + /* Discoveried ESP and XBOOTLDR partition are always hardened with "noexec,nosuid,nodev". + * If we probed vfat or have no idea about the file system then assume these file systems are vfat + * and thus understand "umask=0077". */ if (!p->fstype || streq(p->fstype, "vfat")) - return "umask=0077"; + return "umask=0077,noexec,nosuid,nodev"; - return NULL; + return "noexec,nosuid,nodev"; } static int add_xbootldr(DissectedPartition *p) {