[SRU][F][J][aws][cherry-pick] dev file system is mounted without nosuid on aws
Tim Gardner
tim.gardner at canonical.com
Fri Oct 7 13:25:49 UTC 2022
On 10/7/22 07:17, Tim Gardner wrote:
> On 10/6/22 17:03, Dave Chiluk wrote:
>> Please cherry-pick 28f0c335d from Linus's tree. It was applied to
>> 5.17. Please take care to set DEVTMPFS_SAFE=y in the config file.
>>
>> This is a security regression from when aws instances started booting
>> initramfs-less. Any other kernel that is booting initramfs-less will
>> likely hit this as well.
>>
>> For machines that have an initramfs this is not an issue as the
>> initramfs:main/init mounts devtmpfs with the correct options.
>>
>> I mostly only care about focal and jammy -aws kernels (which I suspect
>> are both 5.15. It applies cleanly to 5.15, and should be a
>> straightforward backport to any others that you deem appropriate.
>>
>> I welcome discussion as to the necessity of this as /dev is still
>> owned by root:root. Regardless, it's definitely not best security
>> practice, and I'm sure someone smarter than me can figure out a way to
>> exploit it.
>>
>> WARNING: I also haven't tested this yet as I do not know how to build
>> a -aws flavored kernel and would really appreciate instructions on how
>> to do so (building any other flavor likely won't be able to reproduce
>> since it'll require the initramfs for boot). I also wanted to get
>> this out to you as a lot of you are in Europe and can respond while
>> I'm sleeping.
>>
>> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1991975
>>
>> Thanks,
>> Dave Chiluk.
>> p.s. Hey folks it's been far too long, let's get a beer next time you
>> are in my neck of the woods!
>>
>
> Hi Dave - that doesn't seem to be a valid LP bug number.
>
Or maybe its marked private ? At any rate, I can't see it.
rtg
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list