Hello, > On 22 Jun 2022, at 19:02, Peter Müller wrote: > > Hello Michael, > > thanks for your reply. > >> Hello, >> >> I suppose this is coming from changing dracut. > > As discussed on the phone already, I don't think dracut is the root cause here, since > the mount options are fine on systems running Core Update 168. Some change in Core Update > 169 caused this issue. Okay. Could we please find out what has been causing this? This is a change I would definitely care about and things like this should not just change. > >> Unless I am reading your diff wrong, those options have been added which is a good thing?! > > No, it is the other way round. Silly me screwed up the diff. :-/ > > Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for > /dev. I searched and was unable to find any component where /dev is (re)mounted in the way > it is shown in the output of "mount". > > Do you have any ideas? > > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >>> On 20 Jun 2022, at 21:34, Peter Müller wrote: >>> >>> Hello *, >>> >>> while pre-testing Core Update 169, it came to my attention that, for some reason, >>> various mount options have changed since Core Update 168, lacking options such as >>> "nodev", "noexec", "nosuid", which means a security downgrade. >>> >>> The complete delta is as follows: >>> >>> $ diff -Naur before after >>> --- before 2022-06-20 20:04:32.436632074 +0000 >>> +++ after 2022-06-20 20:04:34.500401575 +0000 >>> @@ -1,12 +1,12 @@ >>> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) >>> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) >>> /dev/sda1 on /boot type ext4 (rw,relatime) >>> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro) >>> /dev/sda4 on / type ext4 (rw,relatime) >>> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755) >>> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755) >>> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime) >>> none on /sys/fs/cgroup type cgroup2 (rw,relatime) >>> -/proc on /proc type proc (rw,relatime) >>> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755) >>> -/sys on /sys type sysfs (rw,relatime) >>> -tmpfs on /dev/shm type tmpfs (rw,relatime) >>> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) >>> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) >>> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec) >>> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) >>> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k) >>> >>> I cannot recall of having this explicitly changed anywhere, and don't understand >>> the root cause for this (unwanted) change. Could somebody please point me into the >>> right direction? :-) >>> >>> Thanks in advance, and best regards, >>> Peter Müller >>