Demi Marie Obenour writes: > On 12/11/25 07:48, Alyssa Ross wrote: >> These are mostly copied from systemd, so should be pretty safe in >> terms of compatibility. >> >> Signed-off-by: Alyssa Ross >> --- >> host/initramfs/etc/fstab | 8 ++++---- >> host/initramfs/etc/init | 2 +- >> host/rootfs/image/etc/fstab | 12 ++++++------ >> img/app/image/etc/fstab | 12 ++++++------ >> img/app/image/etc/mdev/virtiofs | 2 +- >> img/app/image/etc/s6-rc/app/run | 4 ++-- >> img/app/scripts/start-virtiofsd.elb | 2 +- >> vm/app/systemd-sysupdate/download-update | 2 +- >> vm/sys/net/image/etc/fstab | 12 ++++++------ >> 9 files changed, 28 insertions(+), 28 deletions(-) >> >> diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab >> index 3dfb05ab..9f43a1a9 100644 >> --- a/host/initramfs/etc/fstab >> +++ b/host/initramfs/etc/fstab >> @@ -1,5 +1,5 @@ >> # SPDX-License-Identifier: CC0-1.0 >> -# SPDX-FileCopyrightText: 2021 Alyssa Ross >> -devtmpfs /dev devtmpfs defaults 0 0 >> -proc /proc proc defaults 0 0 >> -sysfs /sys sysfs defaults 0 0 >> +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross >> +devtmpfs /dev devtmpfs nosuid 0 0 > > Should this also be noexec? I don't think anything has any business > executing something out of devtmpfs. > >> +proc /proc proc nosuid,nodev,noexec 0 0 >> +sysfs /sys sysfs nosuid,nodev,noexec 0 0 >> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init >> index 71948874..723d2e1b 100755 >> --- a/host/initramfs/etc/init >> +++ b/host/initramfs/etc/init >> @@ -42,7 +42,7 @@ if { >> >> background { rm /dev/rootfs /dev/verity } >> >> -if { mount /dev/mapper/root-verity /mnt/root } >> +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root } >> wait { $mdevd_pid } >> >> if { mount --move /proc /mnt/root/proc } >> diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab >> index 6230d910..5c23a374 100644 >> --- a/host/rootfs/image/etc/fstab >> +++ b/host/rootfs/image/etc/fstab >> @@ -1,7 +1,7 @@ >> # SPDX-License-Identifier: CC0-1.0 >> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross >> -proc /proc proc defaults 0 0 >> -devpts /dev/pts devpts gid=5,mode=620 0 0 >> -tmpfs /dev/shm tmpfs defaults 0 0 >> -sysfs /sys sysfs defaults 0 0 >> -tmpfs /tmp tmpfs defaults 0 0 >> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross >> +proc /proc proc nosuid,nodev,noexec 0 0 >> +devpts /dev/pts devpts nosuid,noexec,gid=5,mode=620 0 0 >> +tmpfs /dev/shm tmpfs nosuid,nodev 0 0 >> +sysfs /sys sysfs nosuid,nodev,noexec 0 0 >> +tmpfs /tmp tmpfs nosuid,nodev 0 0 > > Should this be noexec as well? Here's systemd's rationale for /dev and /tmp not to be noexec: https://github.com/systemd/systemd/commit/4eb105fa4aae30566d23382e8c9430eddf1a3dd4 We could decide to be stricter, though. For /tmp and maybe /dev/shm as well I'm tempted to leave them unmounted and read-only by default, and only mount them inside namespaces for particular services that need them. That way we'd know which services were using them, and could decide on restrictive mount flags per-service, as well as deciding whether /tmp should be RAM- or disk-backed for each service.