On Tue, Nov 20, 2012 at 12:42:38PM -0800, Kees Cook wrote:
> Since devtmpfs is writable, make the default noexec,nosuid as well. This
> protects from the case of a privileged process having an arbitrary file
> write flaw and an argumentless arbitrary execution (i.e. it would lack
> the ability to run "mount -o remount,exec,suid /dev").
>
> Cc: ellyjo...@chromium.org
> Cc: Kay Sievers <k...@vrfy.org>
> Cc: Roland Eggner <ed...@systemanalysen.net>
> Signed-off-by: Kees Cook <keesc...@chromium.org>
>
> ---
> v2:
> - use CONFIG_DEVTMPFS_SAFE to wrap the logic.
That's better, thanks.
One tiny bikeshead request though:
> --- a/drivers/base/devtmpfs.c
> +++ b/drivers/base/devtmpfs.c
> @@ -340,6 +340,10 @@ static int handle_remove(const char *nodename, struct
> device *dev)
> int devtmpfs_mount(const char *mntdir)
> {
> int err;
> + int mflags = MS_SILENT;
> +#ifdef CONFIG_DEVTMPFS_SAFE
> + mflags |= MS_NOEXEC | MS_NOSUID;
> +#endif
You duplicate this in two places, which makes the c code harder to read.
How about, at the top of the file, you do:
#ifdef CONFIG_DEVTMPFS_SAFE
#define DEVTMPFS_MFLAGS MS_SILENT | MS_NOEXEC | MS_NOSUID
#else
#define DEVTMPFS_MFLAGS MS_SILENT
#endif
And then just use DEVTMPFS_MFLAGS in both places?
That should make the patch smaller, which is always nice :)
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
