PING/CMNT: [PATCH 0/4][v2 Focal/Jammy linux] dev file system is mounted without nosuid or noexec

Luke Nowakowski-Krijger luke.nowakowskikrijger at canonical.com
Tue Jan 17 21:09:44 UTC 2023 

Resurfacing the conversation on this patch since there was a NACK from
Dimitri.

I think I agree with Dimitri's point of following upstream systemd and
initramfs-tools and just having nosuid, as mounting noexec might break some
driver somewhere exec'ing out of /dev (e.g. Intel SGX, however it is
depracted) ...

For context this patch has been upstream for a while and is carried in
Kinetic.

Does anyone have any ideas/opinions what we should do?

- Luke

On Tue, Oct 11, 2022 at 9:30 AM Tim Gardner <tim.gardner at canonical.com>
wrote:

> BugLink: https://bugs.launchpad.net/bugs/1991975
> Good test results in
> https://lists.ubuntu.com/archives/kernel-team/2022-October/133764.html
>
> [ SRU TEMPLATE ]
> [ Impact ]
>
>  * nosuid, and noexec bits are not set on /dev
>  * This has the potential for nefarious actors to use this as an avenue
> for attack.
>  * see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for
> more discussion around this.
>  * It is not best security practice.
>
> [ Test Plan ]
>
>    1.Boot a Canonical Supplied EC2 instance
>    2.Check the mount options for /dev.
>    3.You will notice the lack of nosuid and noexec on /dev.
>
> [ Where problems could occur ]
>
>  * As of 2022/10/06, I need to test this, but don't know how to build -aws
> flavored ubuntu kernels.
>  * Instructions welcome. I'm holding off on adding SRU tags until I can
> actually get this tested.
>
>  * If this is applied to non initramfs-less kernels it could potentially
> cause a regression for
>  * very old hardware that does nefarious things with memory. For a larger
> discussion about that see:
>  *
> https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/
>
>  * Low risk if a driver depends on /dev allowing suid or exec this might
> prevent boot. That being said,
>  * all kernels that have been booting with an initramfs have been getting
> nosuid, and noexec set so
>  * hopefully we can consider that risk fairly well tested.
>
> [ Other Info ]
>
>  * Patch is accepted into 5.17, and will drop out quickly
>  * Any server booting with an initramfs already has nosuid, and noexec
> set, so hopefully
>
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230117/8271922f/attachment.html>

More information about the kernel-team mailing list