diff options
author | Mike Yuan <me@yhndnzj.com> | 2023-01-16 07:57:24 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2023-01-16 11:15:07 +0100 |
commit | d708293d436516823e0e4bfb02c54365820fd8c6 (patch) | |
tree | 9b80921e1190905362c12832e9d193edff6e5c34 /src | |
parent | man: udev_enumerate_new: fix typo (diff) | |
download | systemd-d708293d436516823e0e4bfb02c54365820fd8c6.tar.xz systemd-d708293d436516823e0e4bfb02c54365820fd8c6.zip |
gpt-auto: harden ESP/XBOOTLDR mounts with "noexec,nosuid,nodev"
When these partitions are probed by gpt-auto,
they will always be hardened with such options.
See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711
Closes #25776
Diffstat (limited to 'src')
-rw-r--r-- | src/gpt-auto-generator/gpt-auto-generator.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index 458fd054ef..98c0ca0810 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -424,14 +424,14 @@ static int add_automount( static const char *esp_or_xbootldr_options(const DissectedPartition *p) { assert(p); - /* if we probed vfat or have no idea about the file system then assume these file systems are vfat - * and thus understand "umask=0077". If we detected something else then don't specify any options and - * use kernel defaults. */ + /* Discoveried ESP and XBOOTLDR partition are always hardened with "noexec,nosuid,nodev". + * If we probed vfat or have no idea about the file system then assume these file systems are vfat + * and thus understand "umask=0077". */ if (!p->fstype || streq(p->fstype, "vfat")) - return "umask=0077"; + return "umask=0077,noexec,nosuid,nodev"; - return NULL; + return "noexec,nosuid,nodev"; } static int add_partition_xbootldr(DissectedPartition *p) { |