This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 0664b1720d2d32f01ad9b9126450e35aa4d357df (commit) from 617bb64f6315b93f7b6dbbe7304ae634ca4fad78 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 0664b1720d2d32f01ad9b9126450e35aa4d357df Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 25 22:20:48 2022 +0000

linux: Amend upstream patch to harden mount points of /dev

This patch, which has been merged into the mainline Linux kernel, but not yet backported to the 5.15.x tree, precisely addresses our situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.

The only explanation I have for bug #12889 arising _now_ is that some component (dracut, maybe) changed its behaviour regarding remounting of already mounted special file systems. As current dracut won't (re)mount any file system already found to be mounted, this means that the mount options decided by the kernel remained untouched for /dev, hence being weak in terms of options hardening possible.

As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes to kernel configurations have been simulated.

Fixes: #12889 Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 1 + config/kernel/kernel.config.armv6l-ipfire | 1 + config/kernel/kernel.config.riscv64-ipfire | 1 + config/kernel/kernel.config.x86_64-ipfire | 2 + lfs/linux | 3 + .../devtmpfs-mount-with-noexec-and-nosuid.patch | 93 ++++++++++++++++++++++ 6 files changed, 101 insertions(+) create mode 100644 src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch

Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index f475c4488..469884b20 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1810,6 +1810,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y

diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 6b33541c8..dc0aee51b 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -1817,6 +1817,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y

diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index f1364d143..0801f4389 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -1417,6 +1417,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y

diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 27ae709b1..06d98e325 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1822,6 +1822,7 @@ CONFIG_UEVENT_HELPER=y CONFIG_UEVENT_HELPER_PATH="" CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y

@@ -7298,6 +7299,7 @@ CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m CONFIG_CRYPTO_LIB_SHA256=y # end of Crypto library routines

+CONFIG_LIB_MEMNEQ=y CONFIG_CRC_CCITT=y CONFIG_CRC16=y CONFIG_CRC_T10DIF=y diff --git a/lfs/linux b/lfs/linux index 50048a02f..384ed9d89 100644 --- a/lfs/linux +++ b/lfs/linux @@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # https://bugzilla.ipfire.org/show_bug.cgi?id=12760 cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch

+ # https://bugzilla.ipfire.org/show_bug.cgi?id=12889 + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch + ifeq "$(BUILD_ARCH)" "armv6l" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch new file mode 100644 index 000000000..222b7b6ea --- /dev/null +++ b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch @@ -0,0 +1,93 @@ +From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001 +From: Kees Cook keescook@chromium.org +Date: Wed, 22 Dec 2021 17:50:20 +0500 +Subject: devtmpfs: mount with noexec and nosuid + +devtmpfs is writable. Add the noexec and nosuid as default mount flags +to prevent code execution from /dev. The systems who don't use systemd +and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by +this patch. Other systems are fine with the udev solution. + +No sane program should be relying on executing from /dev. So this patch +reduces the attack surface. It doesn't prevent any specific attack, but +it reduces the possibility that someone can use /dev as a place to put +executable code. Chrome OS has been carrying this patch for several +years. It seems trivial and simple solution to improve the protection of +/dev when CONFIG_DEVTMPFS_MOUNT=y. + +Original patch: +https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ + +Cc: ellyjones@chromium.org +Cc: Kay Sievers kay@vrfy.org +Cc: Roland Eggner edvx1@systemanalysen.net +Co-developed-by: Muhammad Usama Anjum usama.anjum@collabora.com +Signed-off-by: Kees Cook keescook@chromium.org +Signed-off-by: Muhammad Usama Anjum usama.anjum@collabora.com +Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD6... +Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org +--- + drivers/base/Kconfig | 11 +++++++++++ + drivers/base/devtmpfs.c | 10 ++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig +index ffcbe2bc460eb..6f04b831a5c04 100644 +--- a/drivers/base/Kconfig ++++ b/drivers/base/Kconfig +@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT + rescue mode with init=/bin/sh, even when the /dev directory + on the rootfs is completely empty. + ++config DEVTMPFS_SAFE ++ bool "Use nosuid,noexec mount options on devtmpfs" ++ depends on DEVTMPFS ++ help ++ This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount ++ flags when mounting devtmpfs. ++ ++ Notice: If enabled, things like /dev/mem cannot be mmapped ++ with the PROT_EXEC flag. This can break, for example, non-KMS ++ video drivers. ++ + config STANDALONE + bool "Select only drivers that don't need compile-time external firmware" + default y +diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c +index 8be352ab4ddbf..1e2c2d3882e2c 100644 +--- a/drivers/base/devtmpfs.c ++++ b/drivers/base/devtmpfs.c +@@ -29,6 +29,12 @@ + #include <uapi/linux/mount.h> + #include "base.h" + ++#ifdef CONFIG_DEVTMPFS_SAFE ++#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID) ++#else ++#define DEVTMPFS_MFLAGS (MS_SILENT) ++#endif ++ + static struct task_struct *thread; + + static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT); +@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void) + if (!thread) + return 0; + +- err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL); ++ err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL); + if (err) + printk(KERN_INFO "devtmpfs: error mounting %i\n", err); + else +@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p) + err = ksys_unshare(CLONE_NEWNS); + if (err) + goto out; +- err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL); ++ err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); + if (err) + goto out; + init_chdir("/.."); /* will traverse into overmounted root */ +-- +cgit +

hooks/post-receive -- IPFire 2.x development tree