[PATCH 0/4][v2 Focal/Jammy linux] dev file system is mounted without nosuid or noexec
Tim Gardner
tim.gardner at canonical.com
Tue Oct 11 16:29:08 UTC 2022
BugLink: https://bugs.launchpad.net/bugs/1991975
Good test results in https://lists.ubuntu.com/archives/kernel-team/2022-October/133764.html
[ SRU TEMPLATE ]
[ Impact ]
* nosuid, and noexec bits are not set on /dev
* This has the potential for nefarious actors to use this as an avenue for attack.
* see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for more discussion around this.
* It is not best security practice.
[ Test Plan ]
1.Boot a Canonical Supplied EC2 instance
2.Check the mount options for /dev.
3.You will notice the lack of nosuid and noexec on /dev.
[ Where problems could occur ]
* As of 2022/10/06, I need to test this, but don't know how to build -aws flavored ubuntu kernels.
* Instructions welcome. I'm holding off on adding SRU tags until I can actually get this tested.
* If this is applied to non initramfs-less kernels it could potentially cause a regression for
* very old hardware that does nefarious things with memory. For a larger discussion about that see:
* https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/
* Low risk if a driver depends on /dev allowing suid or exec this might prevent boot. That being said,
* all kernels that have been booting with an initramfs have been getting nosuid, and noexec set so
* hopefully we can consider that risk fairly well tested.
[ Other Info ]
* Patch is accepted into 5.17, and will drop out quickly
* Any server booting with an initramfs already has nosuid, and noexec set, so hopefully
More information about the kernel-team
mailing list