[SRU][F][J][aws][cherry-pick] dev file system is mounted without nosuid on aws
Dave Chiluk
chiluk at ubuntu.com
Thu Oct 6 23:03:23 UTC 2022
Please cherry-pick 28f0c335d from Linus's tree. It was applied to
5.17. Please take care to set DEVTMPFS_SAFE=y in the config file.
This is a security regression from when aws instances started booting
initramfs-less. Any other kernel that is booting initramfs-less will
likely hit this as well.
For machines that have an initramfs this is not an issue as the
initramfs:main/init mounts devtmpfs with the correct options.
I mostly only care about focal and jammy -aws kernels (which I suspect
are both 5.15. It applies cleanly to 5.15, and should be a
straightforward backport to any others that you deem appropriate.
I welcome discussion as to the necessity of this as /dev is still
owned by root:root. Regardless, it's definitely not best security
practice, and I'm sure someone smarter than me can figure out a way to
exploit it.
WARNING: I also haven't tested this yet as I do not know how to build
a -aws flavored kernel and would really appreciate instructions on how
to do so (building any other flavor likely won't be able to reproduce
since it'll require the initramfs for boot). I also wanted to get
this out to you as a lot of you are in Europe and can respond while
I'm sleeping.
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1991975
Thanks,
Dave Chiluk.
p.s. Hey folks it's been far too long, let's get a beer next time you
are in my neck of the woods!
More information about the kernel-team
mailing list