[SRU][F][J][aws][cherry-pick] dev file system is mounted without nosuid on aws

Tim Gardner tim.gardner at canonical.com
Tue Oct 11 12:29:01 UTC 2022 

Hi Dave,

Thanks for the analysis. The Bionic 5.4 kernel inherits directly from 
Focal, so whatever changes are made to Focal 5.4, Bionic gets for free. 
Similarly for Focal 5.15 which inherits directly from Jammy 5.15.

I'll prepare a patch set for Jammy 5.15 and Focal 5.4.

rtg

On 10/10/22 2:33 PM, Dave Chiluk wrote:
> Alright I booted a stock bionic system.  It comes pre-installed with
> the -aws kernel 5.4.0-1085-aws.  However it doesn't seem to use
> initramfs-less booting, so the discussed code path does not get
> exercised.
> 
> The mount for dev on the existing aws bionic image looks like this.
> ubuntu at cmhprod3-stockubuntu:~$ mount | grep /dev
> udev on /dev type devtmpfs
> (rw,nosuid,relatime,size=1997240k,nr_inodes=499310,mode=755)
> devpts on /dev/pts type devpts
> (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
> /dev/xvda1 on / type ext4 (rw,relatime,discard)
> tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
> cgroup on /sys/fs/cgroup/devices type cgroup
> (rw,nosuid,nodev,noexec,relatime,devices)
> hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
> mqueue on /dev/mqueue type mqueue (rw,relatime)
> /dev/xvda15 on /boot/efi type vfat
> (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
> 
> So at this point it looks like only the 5.15 -aws kernel on both Jammy
> and Focal need this fix.
> 
> Good corner cases
> - If someone is running bionic they aren't booting initramfs-less so
> not an issue.
> - If someone is running a focal canonical aws image they are by
> default running the 5.15-aws kernel.
> - if they are running jammy they are running at least the 5.15 kernel.
> 
> Bad Corner Case
> - If someone is running focal on aws, then removes the -aws kernel and
> instead installs the 5.4 kernel they will see this problem.  I did
> just test your 5.4 kernel on focal, and it correctly applied the
> options.
> 
> So yeah we probably should fix it for at least 5.4 and 5.15 on both
> focal and jammy.  Applying it for bionic shouldn't hurt, as the code
> path shouldn't be exercised.
> 
> Dave.
> 
> On Mon, Oct 10, 2022 at 2:46 PM Dave Chiluk <chiluk at ubuntu.com> wrote:
>>
>> Yeah that looks correct to me.  As far as I understand it, if you are
>> on aws with focal you are running the 5.15 -aws kernel along with
>> initramfs-less booting.
>>
>> Does bionic have the initramfs-less booting feature enabled?  If not
>> it might not be worth adding to 5.4.  I'll boot up a bionic ec2
>> instance and check.
>>
>> On Mon, Oct 10, 2022 at 2:19 PM Tim Gardner <tim.gardner at canonical.com> wrote:
>>>
>>> On 10/10/22 12:04 PM, Dave Chiluk wrote:
>>>> I tested the 5.15 kernel change and it looks good.  I don't have an
>>>> easy way to test the 5.4 kernel.
>>>>
>>>
>>> Cherry picking to the 5.4 kernel did require some backporting changes.
>>> Attached is an AWS boot log from the 5.4 test kernel. Do the devtmpfs
>>> messages look correct ?
>>>
>>> rtg
>>> --
>>> -----------
>>> Tim Gardner
>>> Canonical, Inc

-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list