ACK/cmnt: [PATCH 0/4][v2 Focal/Jammy linux] dev file system is mounted without nosuid or noexec
Cory Todd
cory.todd at canonical.com
Tue Oct 11 18:12:46 UTC 2022
On Tue, Oct 11, 2022 at 10:29:08AM -0600, Tim Gardner wrote:
> BugLink: https://bugs.launchpad.net/bugs/1991975
> Good test results in https://lists.ubuntu.com/archives/kernel-team/2022-October/133764.html
>
> [ SRU TEMPLATE ]
> [ Impact ]
>
> * nosuid, and noexec bits are not set on /dev
> * This has the potential for nefarious actors to use this as an avenue for attack.
> * see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for more discussion around this.
> * It is not best security practice.
>
> [ Test Plan ]
>
> 1.Boot a Canonical Supplied EC2 instance
> 2.Check the mount options for /dev.
> 3.You will notice the lack of nosuid and noexec on /dev.
>
> [ Where problems could occur ]
>
> * As of 2022/10/06, I need to test this, but don't know how to build -aws flavored ubuntu kernels.
> * Instructions welcome. I'm holding off on adding SRU tags until I can actually get this tested.
>
> * If this is applied to non initramfs-less kernels it could potentially cause a regression for
> * very old hardware that does nefarious things with memory. For a larger discussion about that see:
> * https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/
>
> * Low risk if a driver depends on /dev allowing suid or exec this might prevent boot. That being said,
> * all kernels that have been booting with an initramfs have been getting nosuid, and noexec set so
> * hopefully we can consider that risk fairly well tested.
>
> [ Other Info ]
>
> * Patch is accepted into 5.17, and will drop out quickly
> * Any server booting with an initramfs already has nosuid, and noexec set, so hopefully
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Should revised patches also have their subjects updated with v2 to match
the cover letter in this case? Some revised patches on the ML do this,
others do not. I'm unsure what the expectation is.
Acked-by: Cory Todd <cory.todd at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221011/325a16cf/attachment.sig>
More information about the kernel-team
mailing list