Change /dev to be mounted by default with /noexec

rhatdan · rhatdan · commit 09d837bf40a7 · 2021-10-20T15:33:59.000-04:00
Podman had an issue, where someone was attemptig to mount all tmpfs within the container as noexec. They were able to get most of it done but "/dev", because it was done down in the runtime spec. I can think of no reason why "/dev", should not be mounted with noexec especially within a container. I know it is not mounted by default in Fedora that way, but I do not know why. Debian looks like it has made the change, and only one bug a couple of years ago showed issues, which would not apply to containers. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940171 Anyways this would make containers "slightly" more secure, and I think it is worth doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
diff --git a/generate/generate.go b/generate/generate.go
@@ -182,7 +182,7 @@ func New(os string) (generator Generator, err error) {
 				Destination: "/dev",
 				Type:        "tmpfs",
 				Source:      "tmpfs",
-				Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
+				Options:     []string{"nosuid", "noexec", "strictatime", "mode=755", "size=65536k"},
 			},
 			{
 				Destination: "/dev/pts",

Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ func New(os string) (generator Generator, err error) {`
`182`	`182`	`Destination: "/dev",`
`183`	`183`	`Type: "tmpfs",`
`184`	`184`	`Source: "tmpfs",`
`185`		`- Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},`
	`185`	`+ Options: []string{"nosuid", "noexec", "strictatime", "mode=755", "size=65536k"},`
`186`	`186`	`},`
`187`	`187`	`{`
`188`	`188`	`Destination: "/dev/pts",`