rpms / systemd

Clone
Source Code
GIT

Blame 0056-nspawn-add-nosuid-and-nodev-to-tmp-mount-6004.patch

c10s-sig-hyperscale c10s-sig-hyperscale-v255 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-v255
  1.   d743bb5bcc536e7bdfa603253a931d65fc54d1fb
  2.   0056-nspawn-add-nosuid-and-nodev-to-tmp-mount-6004.patch
Blob History Raw
Zbigniew Jędrzejewski-Szmek d743bb 
From 2d148f574c5c1e8bf7bf7da964e0f063395d42c8 Mon Sep 17 00:00:00 2001
Zbigniew Jędrzejewski-Szmek d743bb 
From: tomty89 <tom.ty89@gmail.com>
Zbigniew Jędrzejewski-Szmek d743bb 
Date: Tue, 23 May 2017 15:41:36 +0800
Zbigniew Jędrzejewski-Szmek d743bb 
Subject: [PATCH] nspawn: add nosuid and nodev to /tmp mount (#6004)
Zbigniew Jędrzejewski-Szmek d743bb
Zbigniew Jędrzejewski-Szmek d743bb 
When automatic /tmp mount was introduced to nspawn in v219, it was done without having the nosuid and nodev mount options, which was the same case as systemd's default tmp.mount unit back then.
Zbigniew Jędrzejewski-Szmek d743bb
Zbigniew Jędrzejewski-Szmek d743bb 
nosuid and nodev was added to tmp.mount(.m4) in v231 for security reasons. matching the nspawn /tmp mount entry against that.
Zbigniew Jędrzejewski-Szmek d743bb
Zbigniew Jędrzejewski-Szmek d743bb 
Ref.:
Zbigniew Jędrzejewski-Szmek d743bb 
https://github.com/systemd/systemd/commit/2f9df7c96a25adb42093ee3ee201577f3e01da42
Zbigniew Jędrzejewski-Szmek d743bb 
https://github.com/systemd/systemd/commit/bbb99c30d01a8bcdc27fb151cc6376a7877a6b07
Zbigniew Jędrzejewski-Szmek d743bb 
(cherry picked from commit e8a94ce83ebc5e5fa0dd312d8340d589506528f9)
Zbigniew Jędrzejewski-Szmek d743bb 
---
Zbigniew Jędrzejewski-Szmek d743bb 
 src/nspawn/nspawn-mount.c | 2 +-
Zbigniew Jędrzejewski-Szmek d743bb 
 1 file changed, 1 insertion(+), 1 deletion(-)
Zbigniew Jędrzejewski-Szmek d743bb
Zbigniew Jędrzejewski-Szmek d743bb 
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
Zbigniew Jędrzejewski-Szmek d743bb 
index d276994120..ac7290732e 100644
Zbigniew Jędrzejewski-Szmek d743bb 
--- a/src/nspawn/nspawn-mount.c
Zbigniew Jędrzejewski-Szmek d743bb 
+++ b/src/nspawn/nspawn-mount.c
Zbigniew Jędrzejewski-Szmek d743bb 
@@ -552,7 +552,7 @@ int mount_all(const char *dest,
Zbigniew Jędrzejewski-Szmek d743bb 
                 { NULL,                  "/proc/sysrq-trigger", NULL,    NULL,        MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,             MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO },                          /* ... then, make it r/o */
Zbigniew Jędrzejewski-Szmek d743bb
Zbigniew Jędrzejewski-Szmek d743bb 
                 /* outer child mounts */
Zbigniew Jędrzejewski-Szmek d743bb 
-                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            MOUNT_FATAL },
Zbigniew Jędrzejewski-Szmek d743bb 
+                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,                                            MOUNT_FATAL },
Zbigniew Jędrzejewski-Szmek d743bb 
                 { "tmpfs",               "/sys",                "tmpfs", "mode=755",  MS_NOSUID|MS_NOEXEC|MS_NODEV,                              MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
Zbigniew Jędrzejewski-Szmek d743bb 
                 { "sysfs",               "/sys",                "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,                    MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO },    /* skipped if above was mounted */
Zbigniew Jędrzejewski-Szmek d743bb 
                 { "sysfs",               "/sys",                "sysfs", NULL,                  MS_NOSUID|MS_NOEXEC|MS_NODEV,                    MOUNT_FATAL },                          /* skipped if above was mounted */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation