* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 0664b1720d2d32f01ad9b9126450e35aa4d357df
@ 2022-06-25 22:26 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2022-06-25 22:26 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 9033 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 0664b1720d2d32f01ad9b9126450e35aa4d357df (commit)
from 617bb64f6315b93f7b6dbbe7304ae634ca4fad78 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0664b1720d2d32f01ad9b9126450e35aa4d357df
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Jun 25 22:20:48 2022 +0000
linux: Amend upstream patch to harden mount points of /dev
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.
The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.
As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.
Fixes: #12889
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 1 +
config/kernel/kernel.config.armv6l-ipfire | 1 +
config/kernel/kernel.config.riscv64-ipfire | 1 +
config/kernel/kernel.config.x86_64-ipfire | 2 +
lfs/linux | 3 +
.../devtmpfs-mount-with-noexec-and-nosuid.patch | 93 ++++++++++++++++++++++
6 files changed, 101 insertions(+)
create mode 100644 src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index f475c4488..469884b20 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1810,6 +1810,7 @@ CONFIG_UEVENT_HELPER=y
CONFIG_UEVENT_HELPER_PATH=""
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 6b33541c8..dc0aee51b 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -1817,6 +1817,7 @@ CONFIG_UEVENT_HELPER=y
CONFIG_UEVENT_HELPER_PATH=""
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index f1364d143..0801f4389 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -1417,6 +1417,7 @@ CONFIG_UEVENT_HELPER=y
CONFIG_UEVENT_HELPER_PATH=""
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 27ae709b1..06d98e325 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1822,6 +1822,7 @@ CONFIG_UEVENT_HELPER=y
CONFIG_UEVENT_HELPER_PATH=""
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
@@ -7298,6 +7299,7 @@ CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
CONFIG_CRYPTO_LIB_SHA256=y
# end of Crypto library routines
+CONFIG_LIB_MEMNEQ=y
CONFIG_CRC_CCITT=y
CONFIG_CRC16=y
CONFIG_CRC_T10DIF=y
diff --git a/lfs/linux b/lfs/linux
index 50048a02f..384ed9d89 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
+ # https://bugzilla.ipfire.org/show_bug.cgi?id=12889
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
+
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
new file mode 100644
index 000000000..222b7b6ea
--- /dev/null
+++ b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
@@ -0,0 +1,93 @@
+From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook(a)chromium.org>
+Date: Wed, 22 Dec 2021 17:50:20 +0500
+Subject: devtmpfs: mount with noexec and nosuid
+
+devtmpfs is writable. Add the noexec and nosuid as default mount flags
+to prevent code execution from /dev. The systems who don't use systemd
+and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
+this patch. Other systems are fine with the udev solution.
+
+No sane program should be relying on executing from /dev. So this patch
+reduces the attack surface. It doesn't prevent any specific attack, but
+it reduces the possibility that someone can use /dev as a place to put
+executable code. Chrome OS has been carrying this patch for several
+years. It seems trivial and simple solution to improve the protection of
+/dev when CONFIG_DEVTMPFS_MOUNT=y.
+
+Original patch:
+https://lore.kernel.org/lkml/20121120215059.GA1859(a)www.outflux.net/
+
+Cc: ellyjones(a)chromium.org
+Cc: Kay Sievers <kay(a)vrfy.org>
+Cc: Roland Eggner <edvx1(a)systemanalysen.net>
+Co-developed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com>
+Signed-off-by: Kees Cook <keescook(a)chromium.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com>
+Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd(a)debian-BULLSEYE-live-builder-AMD64
+Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
+---
+ drivers/base/Kconfig | 11 +++++++++++
+ drivers/base/devtmpfs.c | 10 ++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
+index ffcbe2bc460eb..6f04b831a5c04 100644
+--- a/drivers/base/Kconfig
++++ b/drivers/base/Kconfig
+@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT
+ rescue mode with init=/bin/sh, even when the /dev directory
+ on the rootfs is completely empty.
+
++config DEVTMPFS_SAFE
++ bool "Use nosuid,noexec mount options on devtmpfs"
++ depends on DEVTMPFS
++ help
++ This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
++ flags when mounting devtmpfs.
++
++ Notice: If enabled, things like /dev/mem cannot be mmapped
++ with the PROT_EXEC flag. This can break, for example, non-KMS
++ video drivers.
++
+ config STANDALONE
+ bool "Select only drivers that don't need compile-time external firmware"
+ default y
+diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
+index 8be352ab4ddbf..1e2c2d3882e2c 100644
+--- a/drivers/base/devtmpfs.c
++++ b/drivers/base/devtmpfs.c
+@@ -29,6 +29,12 @@
+ #include <uapi/linux/mount.h>
+ #include "base.h"
+
++#ifdef CONFIG_DEVTMPFS_SAFE
++#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID)
++#else
++#define DEVTMPFS_MFLAGS (MS_SILENT)
++#endif
++
+ static struct task_struct *thread;
+
+ static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
+@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void)
+ if (!thread)
+ return 0;
+
+- err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);
++ err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ if (err)
+ printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
+ else
+@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p)
+ err = ksys_unshare(CLONE_NEWNS);
+ if (err)
+ goto out;
+- err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);
++ err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ if (err)
+ goto out;
+ init_chdir("/.."); /* will traverse into overmounted root */
+--
+cgit
+
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-25 22:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-25 22:26 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 0664b1720d2d32f01ad9b9126450e35aa4d357df Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox