units: set nodev,nosuid,noexec flags for various secondary API VFS

A couple of API VFS we mount via .mount units. Let's set the three flags
for those too, just in case.

This is just paranoia, nothing else, but shouldn't hurt.

5 files changed, 5 insertions, 0 deletions

diff --git a/units/dev-mqueue.mount b/units/dev-mqueue.mount
index be32433d6c..0114ad31f0 100644
--- a/units/dev-mqueue.mount
+++ b/units/dev-mqueue.mount
@@ -20,3 +20,4 @@ ConditionCapability=CAP_SYS_ADMIN
 What=mqueue
 Where=/dev/mqueue
 Type=mqueue
+Options=nosuid,nodev,noexec
diff --git a/units/proc-sys-fs-binfmt_misc.mount b/units/proc-sys-fs-binfmt_misc.mount
index 091191e139..66229ec78e 100644
--- a/units/proc-sys-fs-binfmt_misc.mount
+++ b/units/proc-sys-fs-binfmt_misc.mount
@@ -17,3 +17,4 @@ DefaultDependencies=no
 What=binfmt_misc
 Where=/proc/sys/fs/binfmt_misc
 Type=binfmt_misc
+Options=nosuid,nodev,noexec
diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount
index 7e7b05c3a2..7bbc342be8 100644
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@@ -22,3 +22,4 @@ Before=sysinit.target
 What=fusectl
 Where=/sys/fs/fuse/connections
 Type=fusectl
+Options=nosuid,nodev,noexec
diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount
index e213ca58b3..e6997884dc 100644
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@@ -21,3 +21,4 @@ Before=sysinit.target
 What=configfs
 Where=/sys/kernel/config
 Type=configfs
+Options=nosuid,nodev,noexec
diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount
index 53ce820b87..618270ddae 100644
--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@@ -20,3 +20,4 @@ Before=sysinit.target
 What=debugfs
 Where=/sys/kernel/debug
 Type=debugfs
+Options=nosuid,nodev,noexec