[PATCH 0/3][Focal/Jammy linux] dev file system is mounted without nosuid or noexec
Tim Gardner
tim.gardner at canonical.com
Tue Oct 11 14:19:34 UTC 2022
BugLink: https://bugs.launchpad.net/bugs/1991975
Also see discussion at https://lists.ubuntu.com/archives/kernel-team/2022-October/133764.html
[ SRU TEMPLATE ]
[ Impact ]
* nosuid, and noexec bits are not set on /dev
* This has the potential for nefarious actors to use this as an avenue for attack. see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for more discussion around this.
* It is not best security practice.
[ Test Plan ]
1.Boot a Canonical Supplied EC2 instance
2.Check the mount options for /dev.
3.You will notice the lack of nosuid and noexec on /dev.
[ Where problems could occur ]
* As of 2022/10/06, I need to test this, but don't know how to build -aws flavored ubuntu kernels. Instructions welcome. I'm holding off on adding SRU tags until I can actually get this tested.
* If this is applied to non initramfs-less kernels it could potentially cause a regression for very old hardware that does nefarious things with memory. For a larger discussion about that see:
https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/
* Low risk if a driver depends on /dev allowing suid or exec this might prevent boot. That being said, all kernels that have been booting with an initramfs have been getting nosuid, and noexec set so hopefully we can consider that risk fairly well tested.
[ Other Info ]
* Patch is accepted into 5.17, and will drop out quickly
* Any server booting with an initramfs already has nosuid, and noexec set, so hopefully
More information about the kernel-team
mailing list