devtmpfs: mount with noexec and nosuid

devtmpfs is writable. Add the noexec and nosuid as default mount flags to prevent code execution from /dev. The systems who don't use systemd and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by this patch. Other systems are fine with the udev solution. No sane program should be relying on executing from /dev. So this patch reduces the attack surface. It doesn't prevent any specific attack, but it reduces the possibility that someone can use /dev as a place to put executable code. Chrome OS has been carrying this patch for several years. It seems trivial and simple solution to improve the protection of /dev when CONFIG_DEVTMPFS_MOUNT=y. Original patch: https://lore.kernel.org/lkml/[email protected]/ Cc: [email protected] Cc: Kay Sievers <[email protected]> Cc: Roland Eggner <[email protected]> Co-developed-by: Muhammad Usama Anjum <[email protected]> Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Muhammad Usama Anjum <[email protected]> Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 Signed-off-by: Greg Kroah-Hartman <[email protected]>
iljavs · Dec 30, 2021 · 28f0c33 · 28f0c33
1 parent 67aa58e
commit 28f0c33
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT
 	  rescue mode with init=/bin/sh, even when the /dev directory
 	  on the rootfs is completely empty.
 
+config DEVTMPFS_SAFE
+	bool "Use nosuid,noexec mount options on devtmpfs"
+	depends on DEVTMPFS
+	help
+	  This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
+	  flags when mounting devtmpfs.
+
+	  Notice: If enabled, things like /dev/mem cannot be mmapped
+	  with the PROT_EXEC flag. This can break, for example, non-KMS
+	  video drivers.
+
 config STANDALONE
 	bool "Select only drivers that don't need compile-time external firmware"
 	default y

diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
@@ -29,6 +29,12 @@
 #include <uapi/linux/mount.h>
 #include "base.h"
 
+#ifdef CONFIG_DEVTMPFS_SAFE
+#define DEVTMPFS_MFLAGS       (MS_SILENT | MS_NOEXEC | MS_NOSUID)
+#else
+#define DEVTMPFS_MFLAGS       (MS_SILENT)
+#endif
+
 static struct task_struct *thread;
 
 static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void)
 	if (!thread)
 		return 0;
 
-	err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);
+	err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
 	if (err)
 		printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
 	else
@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p)
 	err = ksys_unshare(CLONE_NEWNS);
 	if (err)
 		goto out;
-	err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);
+	err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
 	if (err)
 		goto out;
 	init_chdir("/.."); /* will traverse into overmounted root */