From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 03ABB25DC8;
	Thu, 11 Dec 2025 20:30:34 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 2735325DB1; Thu, 11 Dec 2025 20:30:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a1-smtp.messagingengine.com
 (fout-a1-smtp.messagingengine.com [103.168.172.144])
	by atuin.qyliss.net (Postfix) with ESMTPS id 8E58C25D72
	for <devel@spectrum-os.org>; Thu, 11 Dec 2025 20:30:28 +0000 (UTC)
Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46])
	by mailfout.phl.internal (Postfix) with ESMTP id 6D754EC059C;
	Thu, 11 Dec 2025 15:30:25 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-06.internal (MEProxy); Thu, 11 Dec 2025 15:30:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm3; t=1765485025; x=1765571425; bh=FOJN5AVUl7
	lDNbxnd7QufYzY2AXBRMWPqAap/YWA6cI=; b=hQSNbhtLXdyBbdBwzbRDceG6vt
	vI3Iur9DbjrcTJewx0bbeHBQMzc1J2OHllj71F33DbB1pPs/p2Zq0IbtbkcLaoVr
	d6+irRdgI1rMmTz+8PapPakVkCCX3WfpcDhZeIcl8baFSkz+F02BdoMrNZE2gyim
	/4nFOdIjH8srsfR979kfQ8TtmUIlJKvXjbIvO8tnZixSnJvkPLrUQXoFWNPN7aK8
	G+ofD4X+GkMHhk/NIa29H3Oc60p4Ber02Hr2D8MkKCNFxirea8YnviLj9AQbbsft
	rDd0axkR1TooeVjZ0RHOsSWe0HnE4mC2vlXmMNIvd671I533t/llNFTH7Yzw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
	1765485025; x=1765571425; bh=FOJN5AVUl7lDNbxnd7QufYzY2AXBRMWPqAa
	p/YWA6cI=; b=aEsFAW7q6tBhW1IK1crbhW9VUGVTXw8v1l6a0oTSvO5D7w9JJhr
	r/2wlCrg5XV0YIXz4A/FRVodT3SimCKGFHJrl7M674fb4MbRAyyZZravlmtl7f6U
	qKJ6okHwrEKJJxSlmfJ7a/g/2+F8ooBiwd52nlxQH0XEOfGFh70RDeqS/fTZkoMz
	pZPSK26cK4Ym9/BQVdnMSzaNA0ScoNsBVAtx2t7vxEZxdb72J51kDehNIA24unvz
	VxAjS3Ou0pS+4LFxphj1faePrKW78sThQHdITOAeWt7zMyU4jxHg95QaYcPZXhWo
	P15JucH1sav27FDROROzB+ZiIDXeJU8eewg==
X-ME-Sender: <xms:4Ck7afmHw-Ea084vBs7PIWwblwrJ6HYSa5QbUa7OtWyXEG1rzxgNjw>
    <xme:4Ck7aXKGjrFb2SSHSI-5CAnH8x9UdogtUoKuSlwM5sXdcVEX_QHwCTEk0HEWVVGQx
    poTZTq19hWsje_iRTHZ29aO81bFvpQg2uC_izybwmhGvxuCbQXNQQ>
X-ME-Received: 
 <xmr:4Ck7aUxdJk8KfVSzxEjyMSVKpBs6AKw5LKi9i5IMslT1Uo9iQ5GKaaKuQytEiPGbIQ>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddviedvjecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug
    hrpefhvfevufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft
    ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhephefhtdffue
    etieffkeejgfeggeetkeduieefjeeuiefftddtfedvgfevheetudeknecuffhomhgrihhn
    pehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh
    grihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepfedpmhho
    uggvpehsmhhtphhouhhtpdhrtghpthhtohephihurhgvkhgrsegthigsvghrtghhrghosh
    druggvvhdprhgtphhtthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhr
    tghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh
X-ME-Proxy: <xmx:4Ck7afv4CccEpVzvDhxqOzml4rouYoXyqr3NXKEGgANsLv0j2YgkwA>
    <xmx:4Ck7aTuN0hqRDSLMcGpv2xkmNboHf_zyw6hywRuKWk8n1MQBIy5xNQ>
    <xmx:4Ck7acOnt9u_2zlObtyvW7STjm4l8HuOJXvt_4xH3r5MH2Yav7QHvA>
    <xmx:4Ck7aZ0bEbr31kEXv1FBEo9Fx-yAEoX7IUlqA3Q5sPeNifnhgrkY0A>
    <xmx:4Sk7aTNNltDdWWiVKev9HQu4d68fdlXEccHT671uyZ2_bDdonkyDQojC>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 11 Dec 2025 15:30:24 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 9887D6F77721; Thu, 11 Dec 2025 21:30:02 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>, devel@spectrum-os.org
Subject: Re: [PATCH] Set restrictive mount options
In-Reply-To: <67073f8a-f9c4-4f30-ab23-9309e6d6f585@gmail.com>
References: <20251211124806.31226-1-hi@alyssa.is>
 <67073f8a-f9c4-4f30-ab23-9309e6d6f585@gmail.com>
Date: Thu, 11 Dec 2025 21:30:01 +0100
Message-ID: <87cy4ksqwm.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Message-ID-Hash: THEFM6AD4EVXRJYBAPLYEDFADSZ6TQNF
X-Message-ID-Hash: THEFM6AD4EVXRJYBAPLYEDFADSZ6TQNF
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Yureka Lilian <yureka@cyberchaos.dev>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/THEFM6AD4EVXRJYBAPLYEDFADSZ6TQNF/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/11/25 07:48, Alyssa Ross wrote:
>> These are mostly copied from systemd, so should be pretty safe in
>> terms of compatibility.
>>=20
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  host/initramfs/etc/fstab                 |  8 ++++----
>>  host/initramfs/etc/init                  |  2 +-
>>  host/rootfs/image/etc/fstab              | 12 ++++++------
>>  img/app/image/etc/fstab                  | 12 ++++++------
>>  img/app/image/etc/mdev/virtiofs          |  2 +-
>>  img/app/image/etc/s6-rc/app/run          |  4 ++--
>>  img/app/scripts/start-virtiofsd.elb      |  2 +-
>>  vm/app/systemd-sysupdate/download-update |  2 +-
>>  vm/sys/net/image/etc/fstab               | 12 ++++++------
>>  9 files changed, 28 insertions(+), 28 deletions(-)
>>=20
>> diff --git a/host/initramfs/etc/fstab b/host/initramfs/etc/fstab
>> index 3dfb05ab..9f43a1a9 100644
>> --- a/host/initramfs/etc/fstab
>> +++ b/host/initramfs/etc/fstab
>> @@ -1,5 +1,5 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
>> -devtmpfs	/dev	devtmpfs	defaults	0	0
>> -proc		/proc	proc		defaults	0	0
>> -sysfs		/sys	sysfs		defaults	0	0
>> +# SPDX-FileCopyrightText: 2021-2025 Alyssa Ross <hi@alyssa.is>
>> +devtmpfs	/dev	devtmpfs	nosuid			0	0
>
> Should this also be noexec?  I don't think anything has any business
> executing something out of devtmpfs.
>
>> +proc		/proc	proc		nosuid,nodev,noexec	0	0
>> +sysfs		/sys	sysfs		nosuid,nodev,noexec	0	0
>> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
>> index 71948874..723d2e1b 100755
>> --- a/host/initramfs/etc/init
>> +++ b/host/initramfs/etc/init
>> @@ -42,7 +42,7 @@ if {
>>=20=20
>>  background { rm /dev/rootfs /dev/verity }
>>=20=20
>> -if { mount /dev/mapper/root-verity /mnt/root }
>> +if { mount -o nosuid,nodev /dev/mapper/root-verity /mnt/root }
>>  wait { $mdevd_pid }
>>=20=20
>>  if { mount --move /proc /mnt/root/proc }
>> diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab
>> index 6230d910..5c23a374 100644
>> --- a/host/rootfs/image/etc/fstab
>> +++ b/host/rootfs/image/etc/fstab
>> @@ -1,7 +1,7 @@
>>  # SPDX-License-Identifier: CC0-1.0
>> -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
>> -proc	/proc		proc	defaults	0	0
>> -devpts	/dev/pts	devpts	gid=3D5,mode=3D620	0	0
>> -tmpfs	/dev/shm	tmpfs	defaults	0	0
>> -sysfs	/sys		sysfs	defaults	0	0
>> -tmpfs	/tmp		tmpfs	defaults	0	0
>> +# SPDX-FileCopyrightText: 2020-2021, 2025 Alyssa Ross <hi@alyssa.is>
>> +proc	/proc		proc	nosuid,nodev,noexec		0	0
>> +devpts	/dev/pts	devpts	nosuid,noexec,gid=3D5,mode=3D620	0	0
>> +tmpfs	/dev/shm	tmpfs	nosuid,nodev			0	0
>> +sysfs	/sys		sysfs	nosuid,nodev,noexec		0	0
>> +tmpfs	/tmp		tmpfs	nosuid,nodev			0	0
>
> Should this be noexec as well?

Here's systemd's rationale for /dev and /tmp not to be noexec:

https://github.com/systemd/systemd/commit/4eb105fa4aae30566d23382e8c9430edd=
f1a3dd4

We could decide to be stricter, though.

For /tmp and maybe /dev/shm as well I'm tempted to leave them unmounted
and read-only by default, and only mount them inside namespaces for
particular services that need them.  That way we'd know which services
were using them, and could decide on restrictive mount flags
per-service, as well as deciding whether /tmp should be RAM- or
disk-backed for each service.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTspyQAKCRCZddwkt31p
FU+hAQD5HHwCZcoPez6NFlGVl8zvqU9NmuuJHctz39j3Y3+THwD9EV3sagKVaDgH
OanEk9ZGmP45kcMQLfF4Nbbq76zgwQ4=
=8FNi
-----END PGP SIGNATURE-----
--=-=-=--