ACK/Cmnt: [PATCH 0/4][v2 Focal/Jammy linux] dev file system is mounted without nosuid or noexec

Tim Gardner tim.gardner at canonical.com
Wed Oct 12 12:43:33 UTC 2022 

On 10/12/22 12:12 AM, Andrea Righi wrote:
> On Tue, Oct 11, 2022 at 10:29:08AM -0600, Tim Gardner wrote:
>> BugLink: https://bugs.launchpad.net/bugs/1991975
>> Good test results in https://lists.ubuntu.com/archives/kernel-team/2022-October/133764.html
>>
>> [ SRU TEMPLATE ]
>> [ Impact ]
>>
>>   * nosuid, and noexec bits are not set on /dev
>>   * This has the potential for nefarious actors to use this as an avenue for attack.
>>   * see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for more discussion around this.
>>   * It is not best security practice.
>>
>> [ Test Plan ]
>>
>>     1.Boot a Canonical Supplied EC2 instance
>>     2.Check the mount options for /dev.
>>     3.You will notice the lack of nosuid and noexec on /dev.
>>
>> [ Where problems could occur ]
>>
>>   * As of 2022/10/06, I need to test this, but don't know how to build -aws flavored ubuntu kernels.
>>   * Instructions welcome. I'm holding off on adding SRU tags until I can actually get this tested.
>>
>>   * If this is applied to non initramfs-less kernels it could potentially cause a regression for
>>   * very old hardware that does nefarious things with memory. For a larger discussion about that see:
>>   * https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/
>>
>>   * Low risk if a driver depends on /dev allowing suid or exec this might prevent boot. That being said,
>>   * all kernels that have been booting with an initramfs have been getting nosuid, and noexec set so
>>   * hopefully we can consider that risk fairly well tested.
>>
>> [ Other Info ]
>>
>>   * Patch is accepted into 5.17, and will drop out quickly
>>   * Any server booting with an initramfs already has nosuid, and noexec set, so hopefully
> 
> Looks good to me.
> 
> However, I noticed that on kinetic /dev is still mounted with exec
> instead of noexec, even if we have DEVTMPFS_SAFE enabled. I'm wondering
> if systemd is doing something fishy to remount /dev with the exec bit
> set...
> 
> Have you checked if it's the same also on focal and jammy with this
> patch set applied?
> 
> Acked-by: Andrea Righi <andrea.righi at canonical.com>

Dave Chiluk checked jammy/aws and I sent him a log for focal/aws which 
he verified. Both cloud environments have the same systemd.

rtg
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list