[SRU][F][J][aws][cherry-pick] dev file system is mounted without nosuid on aws

Dave Chiluk chiluk at ubuntu.com
Mon Oct 10 20:33:03 UTC 2022 

Alright I booted a stock bionic system.  It comes pre-installed with
the -aws kernel 5.4.0-1085-aws.  However it doesn't seem to use
initramfs-less booting, so the discussed code path does not get
exercised.

The mount for dev on the existing aws bionic image looks like this.
ubuntu at cmhprod3-stockubuntu:~$ mount | grep /dev
udev on /dev type devtmpfs
(rw,nosuid,relatime,size=1997240k,nr_inodes=499310,mode=755)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
/dev/xvda1 on / type ext4 (rw,relatime,discard)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,relatime)
/dev/xvda15 on /boot/efi type vfat
(rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

So at this point it looks like only the 5.15 -aws kernel on both Jammy
and Focal need this fix.

Good corner cases
- If someone is running bionic they aren't booting initramfs-less so
not an issue.
- If someone is running a focal canonical aws image they are by
default running the 5.15-aws kernel.
- if they are running jammy they are running at least the 5.15 kernel.

Bad Corner Case
- If someone is running focal on aws, then removes the -aws kernel and
instead installs the 5.4 kernel they will see this problem.  I did
just test your 5.4 kernel on focal, and it correctly applied the
options.

So yeah we probably should fix it for at least 5.4 and 5.15 on both
focal and jammy.  Applying it for bionic shouldn't hurt, as the code
path shouldn't be exercised.

Dave.

On Mon, Oct 10, 2022 at 2:46 PM Dave Chiluk <chiluk at ubuntu.com> wrote:
>
> Yeah that looks correct to me.  As far as I understand it, if you are
> on aws with focal you are running the 5.15 -aws kernel along with
> initramfs-less booting.
>
> Does bionic have the initramfs-less booting feature enabled?  If not
> it might not be worth adding to 5.4.  I'll boot up a bionic ec2
> instance and check.
>
> On Mon, Oct 10, 2022 at 2:19 PM Tim Gardner <tim.gardner at canonical.com> wrote:
> >
> > On 10/10/22 12:04 PM, Dave Chiluk wrote:
> > > I tested the 5.15 kernel change and it looks good.  I don't have an
> > > easy way to test the 5.4 kernel.
> > >
> >
> > Cherry picking to the 5.4 kernel did require some backporting changes.
> > Attached is an AWS boot log from the 5.4 test kernel. Do the devtmpfs
> > messages look correct ?
> >
> > rtg
> > --
> > -----------
> > Tim Gardner
> > Canonical, Inc

More information about the kernel-team mailing list