diff options
| author | Ben Hutchings <benh@debian.org> | 2020-12-09 18:04:33 +0100 |
|---|---|---|
| committer | Ben Hutchings <benh@debian.org> | 2020-12-09 18:04:33 +0100 |
| commit | 33c10ef43b03dc6d9ee09a46c598f6ee34ad0b81 (patch) | |
| tree | bae3423e766424450721eabc0e40a6f4e3a9698c | |
| parent | cbbbb1b73e72124ba517325c51e0ea4bd7139104 (diff) | |
init: Mount /dev without the noexec option
This partially reverts commit eb98d2ea110b "init: /dev can be noexec
and /run nodev". The noexec option broke v86d (which we have a
specific workaround for), and could also be a problem for SGX support
in future.
Using noexec here doesn't provide a security benefit in a default
Debian configuration, since there are other writable directories on
filesystems not mounted with this option. Those are also writable by
all users, not just uid 0.
The mount options can be overridden by an entry for /dev in /etc/fstab
(at least when booting with systemd).
References: https://lore.kernel.org/linux-sgx/20201209000321.GA62845@kernel.org/T/
Signed-off-by: Ben Hutchings <benh@debian.org>
| -rwxr-xr-x | init | 3 |
1 files changed, 1 insertions, 2 deletions
@@ -33,8 +33,7 @@ export quiet # Note that this only becomes /dev on the real filesystem if udev's scripts # are used; which they will be, but it's worth pointing out -test -x /usr/sbin/v86d && dev_exec="exec" || dev_exec="noexec" -mount -t devtmpfs -o $dev_exec,nosuid,mode=0755 udev /dev +mount -t devtmpfs -o nosuid,mode=0755 udev /dev mkdir /dev/pts mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true |