[SRU][F][J][aws][cherry-pick] dev file system is mounted without nosuid on aws
Tim Gardner
tim.gardner at canonical.com
Fri Oct 7 13:17:50 UTC 2022
On 10/6/22 17:03, Dave Chiluk wrote:
> Please cherry-pick 28f0c335d from Linus's tree. It was applied to
> 5.17. Please take care to set DEVTMPFS_SAFE=y in the config file.
>
> This is a security regression from when aws instances started booting
> initramfs-less. Any other kernel that is booting initramfs-less will
> likely hit this as well.
>
> For machines that have an initramfs this is not an issue as the
> initramfs:main/init mounts devtmpfs with the correct options.
>
> I mostly only care about focal and jammy -aws kernels (which I suspect
> are both 5.15. It applies cleanly to 5.15, and should be a
> straightforward backport to any others that you deem appropriate.
>
> I welcome discussion as to the necessity of this as /dev is still
> owned by root:root. Regardless, it's definitely not best security
> practice, and I'm sure someone smarter than me can figure out a way to
> exploit it.
>
> WARNING: I also haven't tested this yet as I do not know how to build
> a -aws flavored kernel and would really appreciate instructions on how
> to do so (building any other flavor likely won't be able to reproduce
> since it'll require the initramfs for boot). I also wanted to get
> this out to you as a lot of you are in Europe and can respond while
> I'm sleeping.
>
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1991975
>
> Thanks,
> Dave Chiluk.
> p.s. Hey folks it's been far too long, let's get a beer next time you
> are in my neck of the woods!
>
Hi Dave - that doesn't seem to be a valid LP bug number.
I just watched a Youtube short on Texas BBQ a couple days ago and I
thought of you.
rtg
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list