[PATCH] Set restrictive mount options

[PATCH] Set restrictive mount options

[Alyssa Ross]

These are mostly copied from systemd, so should be pretty safe in
terms of compatibility.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 host/initramfs/etc/fstab                 |  8 ++++----
 host/initramfs/etc/init                  |  2 +-
 host/rootfs/image/etc/fstab              | 12 ++++++------
 img/app/image/etc/fstab                  | 12 ++++++------
 img/app/image/etc/mdev/virtiofs          |  2 +-
 img/app/image/etc/s6-rc/app/run          |  4 ++--
 img/app/scripts/start-virtiofsd.elb      |  2 +-
 vm/app/systemd-sysupdate/download-update |  2 +-
 vm/sys/net/image/etc/fstab               | 12 ++++++------
 9 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab
index 3dfb05ab..9f43a1a9 100644
--- a/host/initramfs/etc/fstab
+++ b/host/initramfs/etc/fstab
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-devtmpfs	/dev	devtmpfs	defaults	0	0
-proc		/proc	proc		defaults	0	0
-sysfs		/sys	sysfs		defaults	0	0
+# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is>
+devtmpfs	/dev	devtmpfs	nosuid			0	0
+proc		/proc	proc		nosuid,nodev,noexec	0	0
+sysfs		/sys	sysfs		nosuid,nodev,noexec	0	0
diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
index 71948874..723d2e1b 100755
--- a/host/initramfs/etc/init
+++ b/host/initramfs/etc/init
@@ -42,7 +42,7 @@ if {
 
 background { rm /dev/rootfs /dev/verity }
 
-if { mount /dev/mapper/root-verity /mnt/root }
+if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root }
 wait { $mdevd_pid }
 
 if { mount --move /proc /mnt/root/proc }
diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab
index 6230d910..5c23a374 100644
--- a/host/rootfs/image/etc/fstab
+++ b/host/rootfs/image/etc/fstab
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
-proc	/proc		proc	defaults	0	0
-devpts	/dev/pts	devpts	gid=5,mode=620	0	0
-tmpfs	/dev/shm	tmpfs	defaults	0	0
-sysfs	/sys		sysfs	defaults	0	0
-tmpfs	/tmp		tmpfs	defaults	0	0
+# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
+proc	/proc		proc	nosuid,nodev,noexec		0	0
+devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
+tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
+sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
+tmpfs	/tmp		tmpfs	nosuid,nodev			0	0
diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab
index 2dd1f4d8..5f78ab87 100644
--- a/img/app/image/etc/fstab
+++ b/img/app/image/etc/fstab
@@ -1,8 +1,8 @@
 # SPDX-License-Identifier: CC0-1.0
 # SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is>
-proc	/proc		proc	defaults			0	0
-devpts	/dev/pts	devpts	gid=5,mode=620			0	0
-tmpfs	/dev/shm	tmpfs	defaults			0	0
-sysfs	/sys		sysfs	defaults			0	0
-tmpfs	/tmp		tmpfs	defaults			0	0
-tmpfs	/home/user	tmpfs	mode=0700,uid=1000,gid=1000	0	0
+proc	/proc		proc	nosuid,nodev,noexec		0	0
+devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
+tmpfs	/dev/shm	tmpfs	nosuid,nodev				0	0
+sysfs	/sys		sysfs	nosuid,nodev,noexec			0	0
+tmpfs	/tmp		tmpfs	nosuid,nodev				0	0
+tmpfs	/home/user	tmpfs	nodev,mode=0700,uid=1000,gid=1000	0	0
diff --git a/img/app/image/etc/mdev/virtiofs b/img/app/image/etc/mdev/virtiofs
index c1fd2834..b6e505bc 100755
--- a/img/app/image/etc/mdev/virtiofs
+++ b/img/app/image/etc/mdev/virtiofs
@@ -7,6 +7,6 @@ background {
   # virtiofs filesystems, so we only supported a single, hardcoded
   # filesystem tag for now.
   if { mkdir -p /run/virtiofs/virtiofs0 }
-  if { mount -t virtiofs virtiofs0 /run/virtiofs/virtiofs0 }
+  if { mount -t virtiofs -o nodev virtiofs0 /run/virtiofs/virtiofs0 }
   /etc/mdev/listen virtiofs0
 }
diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run
index 0ba1f374..997897de 100755
--- a/img/app/image/etc/s6-rc/app/run
+++ b/img/app/image/etc/s6-rc/app/run
@@ -17,7 +17,7 @@ foreground {
       if { modprobe loop }
       if {
         backtick -E offset { /run/virtiofs/virtiofs0/config/run --appimage-offset }
-        mount -o offset=${offset} /run/virtiofs/virtiofs0/config/run /mnt
+        mount -o offset=${offset},nodev /run/virtiofs/virtiofs0/config/run /mnt
       }
       s6-setuidgid user
       export APPIMAGE /run/virtiofs/virtiofs0/config/run
@@ -42,7 +42,7 @@ foreground {
     nix {
       if {
 	mount -t overlay
-	  -o ro,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store
+	  -o ro,nosuid,nodev,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store
 	  store /nix/store
       }
 
diff --git a/img/app/scripts/start-virtiofsd.elb b/img/app/scripts/start-virtiofsd.elb
index e4d265f0..cedce9ae 100755
--- a/img/app/scripts/start-virtiofsd.elb
+++ b/img/app/scripts/start-virtiofsd.elb
@@ -6,7 +6,7 @@ s6-ipcserver-socketbinder -B build/virtiofsd.sock
 background {
   if { mkdir -p build/fs }
   unshare -rUm
-  if { mount -t tmpfs fs build/fs }
+  if { mount -t tmpfs -o nosuid,nodev fs build/fs }
   if { mkdir build/fs/config }
   if { importas -Si CONFIG mount --rbind -- ${CONFIG}/fs build/fs/config }
   importas -SsD virtiofsd VIRTIOFSD
diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
index facf7f52..b397f238 100755
--- a/vm/app/systemd-sysupdate/download-update
+++ b/vm/app/systemd-sysupdate/download-update
@@ -5,7 +5,7 @@
 export LC_ALL C
 export LANGUAGE C
 unshare -mr
-if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
+if { mount -toverlay -o nosuid,nodev,lowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
 backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
 # Not a useless use of cat: if there are NUL bytes in the URL
 # busybox's awk might misbehave.
diff --git a/vm/sys/net/image/etc/fstab b/vm/sys/net/image/etc/fstab
index a0b62fa5..4c240544 100644
--- a/vm/sys/net/image/etc/fstab
+++ b/vm/sys/net/image/etc/fstab
@@ -1,8 +1,8 @@
 # SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
 # SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
-proc	/proc		proc	defaults	0	0
-devpts	/dev/pts	devpts	gid=5,mode=620	0	0
-tmpfs	/dev/shm	tmpfs	defaults	0	0
-sysfs	/sys		sysfs	defaults	0	0
-bpffs	/sys/fs/bpf	bpf	defaults	0	0
+proc	/proc		proc	nosuid,nodev,noexec		0	0
+devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
+tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
+sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
+bpffs	/sys/fs/bpf	bpf	nosuid,nodev,noexec,mode=700	0	0

base-commit: e32cdde75ef9ec554c1c40bba7f4a75dcaaa779f
-- 
2.51.0

Re: [PATCH] Set restrictive mount options

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 7683 bytes --]

On 12/11/25 07:48, Alyssa Ross wrote:
> These are mostly copied from systemd, so should be pretty safe in
> terms of compatibility.
> 
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>  host/initramfs/etc/fstab                 |  8 ++++----
>  host/initramfs/etc/init                  |  2 +-
>  host/rootfs/image/etc/fstab              | 12 ++++++------
>  img/app/image/etc/fstab                  | 12 ++++++------
>  img/app/image/etc/mdev/virtiofs          |  2 +-
>  img/app/image/etc/s6-rc/app/run          |  4 ++--
>  img/app/scripts/start-virtiofsd.elb      |  2 +-
>  vm/app/systemd-sysupdate/download-update |  2 +-
>  vm/sys/net/image/etc/fstab               | 12 ++++++------
>  9 files changed, 28 insertions(+), 28 deletions(-)
> 
> diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab
> index 3dfb05ab..9f43a1a9 100644
> --- a/host/initramfs/etc/fstab
> +++ b/host/initramfs/etc/fstab
> @@ -1,5 +1,5 @@
>  # SPDX-License-Identifier: CC0-1.0
> -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
> -devtmpfs	/dev	devtmpfs	defaults	0	0
> -proc		/proc	proc		defaults	0	0
> -sysfs		/sys	sysfs		defaults	0	0
> +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is>
> +devtmpfs	/dev	devtmpfs	nosuid			0	0

Should this also be noexec?  I don't think anything has any business
executing something out of devtmpfs.

> +proc		/proc	proc		nosuid,nodev,noexec	0	0
> +sysfs		/sys	sysfs		nosuid,nodev,noexec	0	0
> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
> index 71948874..723d2e1b 100755
> --- a/host/initramfs/etc/init
> +++ b/host/initramfs/etc/init
> @@ -42,7 +42,7 @@ if {
>  
>  background { rm /dev/rootfs /dev/verity }
>  
> -if { mount /dev/mapper/root-verity /mnt/root }
> +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root }
>  wait { $mdevd_pid }
>  
>  if { mount --move /proc /mnt/root/proc }
> diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab
> index 6230d910..5c23a374 100644
> --- a/host/rootfs/image/etc/fstab
> +++ b/host/rootfs/image/etc/fstab
> @@ -1,7 +1,7 @@
>  # SPDX-License-Identifier: CC0-1.0
> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
> -proc	/proc		proc	defaults	0	0
> -devpts	/dev/pts	devpts	gid=5,mode=620	0	0
> -tmpfs	/dev/shm	tmpfs	defaults	0	0
> -sysfs	/sys		sysfs	defaults	0	0
> -tmpfs	/tmp		tmpfs	defaults	0	0
> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
> +proc	/proc		proc	nosuid,nodev,noexec		0	0
> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
> +tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
> +sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
> +tmpfs	/tmp		tmpfs	nosuid,nodev			0	0

Should this be noexec as well?

> diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab
> index 2dd1f4d8..5f78ab87 100644
> --- a/img/app/image/etc/fstab
> +++ b/img/app/image/etc/fstab
> @@ -1,8 +1,8 @@
>  # SPDX-License-Identifier: CC0-1.0
>  # SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is>
> -proc	/proc		proc	defaults			0	0
> -devpts	/dev/pts	devpts	gid=5,mode=620			0	0
> -tmpfs	/dev/shm	tmpfs	defaults			0	0
> -sysfs	/sys		sysfs	defaults			0	0
> -tmpfs	/tmp		tmpfs	defaults			0	0
> -tmpfs	/home/user	tmpfs	mode=0700,uid=1000,gid=1000	0	0
> +proc	/proc		proc	nosuid,nodev,noexec		0	0
> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
> +tmpfs	/dev/shm	tmpfs	nosuid,nodev				0	0
> +sysfs	/sys		sysfs	nosuid,nodev,noexec			0	0
> +tmpfs	/tmp		tmpfs	nosuid,nodev				0	0
> +tmpfs	/home/user	tmpfs	nodev,mode=0700,uid=1000,gid=1000	0	0
> diff --git a/img/app/image/etc/mdev/virtiofs b/img/app/image/etc/mdev/virtiofs
> index c1fd2834..b6e505bc 100755
> --- a/img/app/image/etc/mdev/virtiofs
> +++ b/img/app/image/etc/mdev/virtiofs
> @@ -7,6 +7,6 @@ background {
>    # virtiofs filesystems, so we only supported a single, hardcoded
>    # filesystem tag for now.
>    if { mkdir -p /run/virtiofs/virtiofs0 }
> -  if { mount -t virtiofs virtiofs0 /run/virtiofs/virtiofs0 }
> +  if { mount -t virtiofs -o nodev virtiofs0 /run/virtiofs/virtiofs0 }
>    /etc/mdev/listen virtiofs0
>  }
> diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run
> index 0ba1f374..997897de 100755
> --- a/img/app/image/etc/s6-rc/app/run
> +++ b/img/app/image/etc/s6-rc/app/run
> @@ -17,7 +17,7 @@ foreground {
>        if { modprobe loop }
>        if {
>          backtick -E offset { /run/virtiofs/virtiofs0/config/run --appimage-offset }
> -        mount -o offset=${offset} /run/virtiofs/virtiofs0/config/run /mnt
> +        mount -o offset=${offset},nodev /run/virtiofs/virtiofs0/config/run /mnt
>        }
>        s6-setuidgid user
>        export APPIMAGE /run/virtiofs/virtiofs0/config/run
> @@ -42,7 +42,7 @@ foreground {
>      nix {
>        if {
>  	mount -t overlay
> -	  -o ro,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store
> +	  -o ro,nosuid,nodev,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store
>  	  store /nix/store
>        }
>  
> diff --git a/img/app/scripts/start-virtiofsd.elb b/img/app/scripts/start-virtiofsd.elb
> index e4d265f0..cedce9ae 100755
> --- a/img/app/scripts/start-virtiofsd.elb
> +++ b/img/app/scripts/start-virtiofsd.elb
> @@ -6,7 +6,7 @@ s6-ipcserver-socketbinder -B build/virtiofsd.sock
>  background {
>    if { mkdir -p build/fs }
>    unshare -rUm
> -  if { mount -t tmpfs fs build/fs }
> +  if { mount -t tmpfs -o nosuid,nodev fs build/fs }
>    if { mkdir build/fs/config }
>    if { importas -Si CONFIG mount --rbind -- ${CONFIG}/fs build/fs/config }
>    importas -SsD virtiofsd VIRTIOFSD
> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
> index facf7f52..b397f238 100755
> --- a/vm/app/systemd-sysupdate/download-update
> +++ b/vm/app/systemd-sysupdate/download-update
> @@ -5,7 +5,7 @@
>  export LC_ALL C
>  export LANGUAGE C
>  unshare -mr
> -if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
> +if { mount -toverlay -o nosuid,nodev,lowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }

Feel free to add noexec and nosymfollow to this.  Unless I am very
much mistaken, the updater should be fine with both.

>  backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
>  # Not a useless use of cat: if there are NUL bytes in the URL
>  # busybox's awk might misbehave.
> diff --git a/vm/sys/net/image/etc/fstab b/vm/sys/net/image/etc/fstab
> index a0b62fa5..4c240544 100644
> --- a/vm/sys/net/image/etc/fstab
> +++ b/vm/sys/net/image/etc/fstab
> @@ -1,8 +1,8 @@
>  # SPDX-License-Identifier: CC0-1.0
> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
>  # SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
> -proc	/proc		proc	defaults	0	0
> -devpts	/dev/pts	devpts	gid=5,mode=620	0	0
> -tmpfs	/dev/shm	tmpfs	defaults	0	0
> -sysfs	/sys		sysfs	defaults	0	0
> -bpffs	/sys/fs/bpf	bpf	defaults	0	0
> +proc	/proc		proc	nosuid,nodev,noexec		0	0
> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
> +tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
> +sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
> +bpffs	/sys/fs/bpf	bpf	nosuid,nodev,noexec,mode=700	0	0
> 
> base-commit: e32cdde75ef9ec554c1c40bba7f4a75dcaaa779f

There might be additional improvements that can be made, but
those can come later, so:

Acked-by: Demi Marie Obenour <demiobenour@gmail.com>

with or without the suggested changes.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] Set restrictive mount options

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 7982 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/11/25 07:48, Alyssa Ross wrote:
>> These are mostly copied from systemd, so should be pretty safe in
>> terms of compatibility.
>> 
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  host/initramfs/etc/fstab                 |  8 ++++----
>>  host/initramfs/etc/init                  |  2 +-
>>  host/rootfs/image/etc/fstab              | 12 ++++++------
>>  img/app/image/etc/fstab                  | 12 ++++++------
>>  img/app/image/etc/mdev/virtiofs          |  2 +-
>>  img/app/image/etc/s6-rc/app/run          |  4 ++--
>>  img/app/scripts/start-virtiofsd.elb      |  2 +-
>>  vm/app/systemd-sysupdate/download-update |  2 +-
>>  vm/sys/net/image/etc/fstab               | 12 ++++++------
>>  9 files changed, 28 insertions(+), 28 deletions(-)
>> 
>> diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab
>> index 3dfb05ab..9f43a1a9 100644
>> --- a/host/initramfs/etc/fstab
>> +++ b/host/initramfs/etc/fstab
>> @@ -1,5 +1,5 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
>> -devtmpfs	/dev	devtmpfs	defaults	0	0
>> -proc		/proc	proc		defaults	0	0
>> -sysfs		/sys	sysfs		defaults	0	0
>> +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is>
>> +devtmpfs	/dev	devtmpfs	nosuid			0	0
>
> Should this also be noexec?  I don't think anything has any business
> executing something out of devtmpfs.
>
>> +proc		/proc	proc		nosuid,nodev,noexec	0	0
>> +sysfs		/sys	sysfs		nosuid,nodev,noexec	0	0
>> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
>> index 71948874..723d2e1b 100755
>> --- a/host/initramfs/etc/init
>> +++ b/host/initramfs/etc/init
>> @@ -42,7 +42,7 @@ if {
>>  
>>  background { rm /dev/rootfs /dev/verity }
>>  
>> -if { mount /dev/mapper/root-verity /mnt/root }
>> +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root }
>>  wait { $mdevd_pid }
>>  
>>  if { mount --move /proc /mnt/root/proc }
>> diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab
>> index 6230d910..5c23a374 100644
>> --- a/host/rootfs/image/etc/fstab
>> +++ b/host/rootfs/image/etc/fstab
>> @@ -1,7 +1,7 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
>> -proc	/proc		proc	defaults	0	0
>> -devpts	/dev/pts	devpts	gid=5,mode=620	0	0
>> -tmpfs	/dev/shm	tmpfs	defaults	0	0
>> -sysfs	/sys		sysfs	defaults	0	0
>> -tmpfs	/tmp		tmpfs	defaults	0	0
>> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
>> +proc	/proc		proc	nosuid,nodev,noexec		0	0
>> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
>> +tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
>> +sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
>> +tmpfs	/tmp		tmpfs	nosuid,nodev			0	0
>
> Should this be noexec as well?
>
>> diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab
>> index 2dd1f4d8..5f78ab87 100644
>> --- a/img/app/image/etc/fstab
>> +++ b/img/app/image/etc/fstab
>> @@ -1,8 +1,8 @@
>>  # SPDX-License-Identifier: CC0-1.0
>>  # SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is>
>> -proc	/proc		proc	defaults			0	0
>> -devpts	/dev/pts	devpts	gid=5,mode=620			0	0
>> -tmpfs	/dev/shm	tmpfs	defaults			0	0
>> -sysfs	/sys		sysfs	defaults			0	0
>> -tmpfs	/tmp		tmpfs	defaults			0	0
>> -tmpfs	/home/user	tmpfs	mode=0700,uid=1000,gid=1000	0	0
>> +proc	/proc		proc	nosuid,nodev,noexec		0	0
>> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
>> +tmpfs	/dev/shm	tmpfs	nosuid,nodev				0	0
>> +sysfs	/sys		sysfs	nosuid,nodev,noexec			0	0
>> +tmpfs	/tmp		tmpfs	nosuid,nodev				0	0
>> +tmpfs	/home/user	tmpfs	nodev,mode=0700,uid=1000,gid=1000	0	0
>> diff --git a/img/app/image/etc/mdev/virtiofs b/img/app/image/etc/mdev/virtiofs
>> index c1fd2834..b6e505bc 100755
>> --- a/img/app/image/etc/mdev/virtiofs
>> +++ b/img/app/image/etc/mdev/virtiofs
>> @@ -7,6 +7,6 @@ background {
>>    # virtiofs filesystems, so we only supported a single, hardcoded
>>    # filesystem tag for now.
>>    if { mkdir -p /run/virtiofs/virtiofs0 }
>> -  if { mount -t virtiofs virtiofs0 /run/virtiofs/virtiofs0 }
>> +  if { mount -t virtiofs -o nodev virtiofs0 /run/virtiofs/virtiofs0 }
>>    /etc/mdev/listen virtiofs0
>>  }
>> diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run
>> index 0ba1f374..997897de 100755
>> --- a/img/app/image/etc/s6-rc/app/run
>> +++ b/img/app/image/etc/s6-rc/app/run
>> @@ -17,7 +17,7 @@ foreground {
>>        if { modprobe loop }
>>        if {
>>          backtick -E offset { /run/virtiofs/virtiofs0/config/run --appimage-offset }
>> -        mount -o offset=${offset} /run/virtiofs/virtiofs0/config/run /mnt
>> +        mount -o offset=${offset},nodev /run/virtiofs/virtiofs0/config/run /mnt
>>        }
>>        s6-setuidgid user
>>        export APPIMAGE /run/virtiofs/virtiofs0/config/run
>> @@ -42,7 +42,7 @@ foreground {
>>      nix {
>>        if {
>>  	mount -t overlay
>> -	  -o ro,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store
>> +	  -o ro,nosuid,nodev,lowerdir=/nix/store:/run/virtiofs/virtiofs0/config/nix/store
>>  	  store /nix/store
>>        }
>>  
>> diff --git a/img/app/scripts/start-virtiofsd.elb b/img/app/scripts/start-virtiofsd.elb
>> index e4d265f0..cedce9ae 100755
>> --- a/img/app/scripts/start-virtiofsd.elb
>> +++ b/img/app/scripts/start-virtiofsd.elb
>> @@ -6,7 +6,7 @@ s6-ipcserver-socketbinder -B build/virtiofsd.sock
>>  background {
>>    if { mkdir -p build/fs }
>>    unshare -rUm
>> -  if { mount -t tmpfs fs build/fs }
>> +  if { mount -t tmpfs -o nosuid,nodev fs build/fs }
>>    if { mkdir build/fs/config }
>>    if { importas -Si CONFIG mount --rbind -- ${CONFIG}/fs build/fs/config }
>>    importas -SsD virtiofsd VIRTIOFSD
>> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
>> index facf7f52..b397f238 100755
>> --- a/vm/app/systemd-sysupdate/download-update
>> +++ b/vm/app/systemd-sysupdate/download-update
>> @@ -5,7 +5,7 @@
>>  export LC_ALL C
>>  export LANGUAGE C
>>  unshare -mr
>> -if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
>> +if { mount -toverlay -o nosuid,nodev,lowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
>
> Feel free to add noexec and nosymfollow to this.  Unless I am very
> much mistaken, the updater should be fine with both.
>
>>  backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
>>  # Not a useless use of cat: if there are NUL bytes in the URL
>>  # busybox's awk might misbehave.
>> diff --git a/vm/sys/net/image/etc/fstab b/vm/sys/net/image/etc/fstab
>> index a0b62fa5..4c240544 100644
>> --- a/vm/sys/net/image/etc/fstab
>> +++ b/vm/sys/net/image/etc/fstab
>> @@ -1,8 +1,8 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
>> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
>>  # SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
>> -proc	/proc		proc	defaults	0	0
>> -devpts	/dev/pts	devpts	gid=5,mode=620	0	0
>> -tmpfs	/dev/shm	tmpfs	defaults	0	0
>> -sysfs	/sys		sysfs	defaults	0	0
>> -bpffs	/sys/fs/bpf	bpf	defaults	0	0
>> +proc	/proc		proc	nosuid,nodev,noexec		0	0
>> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
>> +tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
>> +sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
>> +bpffs	/sys/fs/bpf	bpf	nosuid,nodev,noexec,mode=700	0	0
>> 
>> base-commit: e32cdde75ef9ec554c1c40bba7f4a75dcaaa779f
>
> There might be additional improvements that can be made, but
> those can come later, so:
>
> Acked-by: Demi Marie Obenour <demiobenour@gmail.com>
>
> with or without the suggested changes.

Alright, I'll test and commit this with the updater changes, and follow
up separately on the others.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] Set restrictive mount options

[Alyssa Ross]

This patch has been committed as 88d6d4676ee2c47d2ebee79a3527f65872956251,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=88d6d4676ee2c47d2ebee79a3527f65872956251.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH] Set restrictive mount options

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3456 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/11/25 07:48, Alyssa Ross wrote:
>> These are mostly copied from systemd, so should be pretty safe in
>> terms of compatibility.
>> 
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  host/initramfs/etc/fstab                 |  8 ++++----
>>  host/initramfs/etc/init                  |  2 +-
>>  host/rootfs/image/etc/fstab              | 12 ++++++------
>>  img/app/image/etc/fstab                  | 12 ++++++------
>>  img/app/image/etc/mdev/virtiofs          |  2 +-
>>  img/app/image/etc/s6-rc/app/run          |  4 ++--
>>  img/app/scripts/start-virtiofsd.elb      |  2 +-
>>  vm/app/systemd-sysupdate/download-update |  2 +-
>>  vm/sys/net/image/etc/fstab               | 12 ++++++------
>>  9 files changed, 28 insertions(+), 28 deletions(-)
>> 
>> diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab
>> index 3dfb05ab..9f43a1a9 100644
>> --- a/host/initramfs/etc/fstab
>> +++ b/host/initramfs/etc/fstab
>> @@ -1,5 +1,5 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
>> -devtmpfs	/dev	devtmpfs	defaults	0	0
>> -proc		/proc	proc		defaults	0	0
>> -sysfs		/sys	sysfs		defaults	0	0
>> +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is>
>> +devtmpfs	/dev	devtmpfs	nosuid			0	0
>
> Should this also be noexec?  I don't think anything has any business
> executing something out of devtmpfs.
>
>> +proc		/proc	proc		nosuid,nodev,noexec	0	0
>> +sysfs		/sys	sysfs		nosuid,nodev,noexec	0	0
>> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
>> index 71948874..723d2e1b 100755
>> --- a/host/initramfs/etc/init
>> +++ b/host/initramfs/etc/init
>> @@ -42,7 +42,7 @@ if {
>>  
>>  background { rm /dev/rootfs /dev/verity }
>>  
>> -if { mount /dev/mapper/root-verity /mnt/root }
>> +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root }
>>  wait { $mdevd_pid }
>>  
>>  if { mount --move /proc /mnt/root/proc }
>> diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab
>> index 6230d910..5c23a374 100644
>> --- a/host/rootfs/image/etc/fstab
>> +++ b/host/rootfs/image/etc/fstab
>> @@ -1,7 +1,7 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
>> -proc	/proc		proc	defaults	0	0
>> -devpts	/dev/pts	devpts	gid=5,mode=620	0	0
>> -tmpfs	/dev/shm	tmpfs	defaults	0	0
>> -sysfs	/sys		sysfs	defaults	0	0
>> -tmpfs	/tmp		tmpfs	defaults	0	0
>> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
>> +proc	/proc		proc	nosuid,nodev,noexec		0	0
>> +devpts	/dev/pts	devpts	nosuid,noexec,gid=5,mode=620	0	0
>> +tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
>> +sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
>> +tmpfs	/tmp		tmpfs	nosuid,nodev			0	0
>
> Should this be noexec as well?

Here's systemd's rationale for /dev and /tmp not to be noexec:

https://github.com/systemd/systemd/commit/4eb105fa4aae30566d23382e8c9430eddf1a3dd4

We could decide to be stricter, though.

For /tmp and maybe /dev/shm as well I'm tempted to leave them unmounted
and read-only by default, and only mount them inside namespaces for
particular services that need them.  That way we'd know which services
were using them, and could decide on restrictive mount flags
per-service, as well as deciding whether /tmp should be RAM- or
disk-backed for each service.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]