From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated.
 0664b1720d2d32f01ad9b9126450e35aa4d357df
Date: Sat, 25 Jun 2022 22:26:50 +0000
Message-ID: <4LVpWG5TYDz2xxY@people01.haj.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3745382415910392090=="
List-Id: <ipfire-scm.lists.ipfire.org>

--===============3745382415910392090==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  0664b1720d2d32f01ad9b9126450e35aa4d357df (commit)
      from  617bb64f6315b93f7b6dbbe7304ae634ca4fad78 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0664b1720d2d32f01ad9b9126450e35aa4d357df
Author: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Date:   Sat Jun 25 22:20:48 2022 +0000

    linux: Amend upstream patch to harden mount points of /dev
   =20
    This patch, which has been merged into the mainline Linux kernel, but
    not yet backported to the 5.15.x tree, precisely addresses our
    situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.
   =20
    The only explanation I have for bug #12889 arising _now_ is that some
    component (dracut, maybe) changed its behaviour regarding remounting of
    already mounted special file systems. As current dracut won't (re)mount
    any file system already found to be mounted, this means that the mount
    options decided by the kernel remained untouched for /dev, hence being
    weak in terms of options hardening possible.
   =20
    As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
    to kernel configurations have been simulated.
   =20
    Fixes: #12889
    Cc: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/kernel/kernel.config.aarch64-ipfire         |  1 +
 config/kernel/kernel.config.armv6l-ipfire          |  1 +
 config/kernel/kernel.config.riscv64-ipfire         |  1 +
 config/kernel/kernel.config.x86_64-ipfire          |  2 +
 lfs/linux                                          |  3 +
 .../devtmpfs-mount-with-noexec-and-nosuid.patch    | 93 ++++++++++++++++++++=
++
 6 files changed, 101 insertions(+)
 create mode 100644 src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.p=
atch

Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kerne=
l.config.aarch64-ipfire
index f475c4488..469884b20 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1810,6 +1810,7 @@ CONFIG_UEVENT_HELPER=3Dy
 CONFIG_UEVENT_HELPER_PATH=3D""
 CONFIG_DEVTMPFS=3Dy
 CONFIG_DEVTMPFS_MOUNT=3Dy
+CONFIG_DEVTMPFS_SAFE=3Dy
 CONFIG_STANDALONE=3Dy
 CONFIG_PREVENT_FIRMWARE_BUILD=3Dy
=20
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel=
.config.armv6l-ipfire
index 6b33541c8..dc0aee51b 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -1817,6 +1817,7 @@ CONFIG_UEVENT_HELPER=3Dy
 CONFIG_UEVENT_HELPER_PATH=3D""
 CONFIG_DEVTMPFS=3Dy
 CONFIG_DEVTMPFS_MOUNT=3Dy
+CONFIG_DEVTMPFS_SAFE=3Dy
 CONFIG_STANDALONE=3Dy
 CONFIG_PREVENT_FIRMWARE_BUILD=3Dy
=20
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kerne=
l.config.riscv64-ipfire
index f1364d143..0801f4389 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -1417,6 +1417,7 @@ CONFIG_UEVENT_HELPER=3Dy
 CONFIG_UEVENT_HELPER_PATH=3D""
 CONFIG_DEVTMPFS=3Dy
 CONFIG_DEVTMPFS_MOUNT=3Dy
+CONFIG_DEVTMPFS_SAFE=3Dy
 CONFIG_STANDALONE=3Dy
 CONFIG_PREVENT_FIRMWARE_BUILD=3Dy
=20
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel=
.config.x86_64-ipfire
index 27ae709b1..06d98e325 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1822,6 +1822,7 @@ CONFIG_UEVENT_HELPER=3Dy
 CONFIG_UEVENT_HELPER_PATH=3D""
 CONFIG_DEVTMPFS=3Dy
 CONFIG_DEVTMPFS_MOUNT=3Dy
+CONFIG_DEVTMPFS_SAFE=3Dy
 CONFIG_STANDALONE=3Dy
 CONFIG_PREVENT_FIRMWARE_BUILD=3Dy
=20
@@ -7298,6 +7299,7 @@ CONFIG_CRYPTO_LIB_CHACHA20POLY1305=3Dm
 CONFIG_CRYPTO_LIB_SHA256=3Dy
 # end of Crypto library routines
=20
+CONFIG_LIB_MEMNEQ=3Dy
 CONFIG_CRC_CCITT=3Dy
 CONFIG_CRC16=3Dy
 CONFIG_CRC_T10DIF=3Dy
diff --git a/lfs/linux b/lfs/linux
index 50048a02f..384ed9d89 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# https://bugzilla.ipfire.org/show_bug.cgi?id=3D12760
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUE=
UE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
=20
+	# https://bugzilla.ipfire.org/show_bug.cgi?id=3D12889
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-w=
ith-noexec-and-nosuid.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz =
| patch -Np1
diff --git a/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch b/=
src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
new file mode 100644
index 000000000..222b7b6ea
--- /dev/null
+++ b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
@@ -0,0 +1,93 @@
+From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook(a)chromium.org>
+Date: Wed, 22 Dec 2021 17:50:20 +0500
+Subject: devtmpfs: mount with noexec and nosuid
+
+devtmpfs is writable. Add the noexec and nosuid as default mount flags
+to prevent code execution from /dev. The systems who don't use systemd
+and who rely on CONFIG_DEVTMPFS_MOUNT=3Dy are the ones to be protected by
+this patch. Other systems are fine with the udev solution.
+
+No sane program should be relying on executing from /dev. So this patch
+reduces the attack surface. It doesn't prevent any specific attack, but
+it reduces the possibility that someone can use /dev as a place to put
+executable code. Chrome OS has been carrying this patch for several
+years. It seems trivial and simple solution to improve the protection of
+/dev when CONFIG_DEVTMPFS_MOUNT=3Dy.
+
+Original patch:
+https://lore.kernel.org/lkml/20121120215059.GA1859(a)www.outflux.net/
+
+Cc: ellyjones(a)chromium.org
+Cc: Kay Sievers <kay(a)vrfy.org>
+Cc: Roland Eggner <edvx1(a)systemanalysen.net>
+Co-developed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com>
+Signed-off-by: Kees Cook <keescook(a)chromium.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com>
+Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd(a)debian-BULLSEYE-live-buil=
der-AMD64
+Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
+---
+ drivers/base/Kconfig    | 11 +++++++++++
+ drivers/base/devtmpfs.c | 10 ++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
+index ffcbe2bc460eb..6f04b831a5c04 100644
+--- a/drivers/base/Kconfig
++++ b/drivers/base/Kconfig
+@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT
+ 	  rescue mode with init=3D/bin/sh, even when the /dev directory
+ 	  on the rootfs is completely empty.
+=20
++config DEVTMPFS_SAFE
++	bool "Use nosuid,noexec mount options on devtmpfs"
++	depends on DEVTMPFS
++	help
++	  This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
++	  flags when mounting devtmpfs.
++
++	  Notice: If enabled, things like /dev/mem cannot be mmapped
++	  with the PROT_EXEC flag. This can break, for example, non-KMS
++	  video drivers.
++
+ config STANDALONE
+ 	bool "Select only drivers that don't need compile-time external firmware"
+ 	default y
+diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
+index 8be352ab4ddbf..1e2c2d3882e2c 100644
+--- a/drivers/base/devtmpfs.c
++++ b/drivers/base/devtmpfs.c
+@@ -29,6 +29,12 @@
+ #include <uapi/linux/mount.h>
+ #include "base.h"
+=20
++#ifdef CONFIG_DEVTMPFS_SAFE
++#define DEVTMPFS_MFLAGS       (MS_SILENT | MS_NOEXEC | MS_NOSUID)
++#else
++#define DEVTMPFS_MFLAGS       (MS_SILENT)
++#endif
++
+ static struct task_struct *thread;
+=20
+ static int __initdata mount_dev =3D IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
+@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void)
+ 	if (!thread)
+ 		return 0;
+=20
+-	err =3D init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);
++	err =3D init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ 	if (err)
+ 		printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
+ 	else
+@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p)
+ 	err =3D ksys_unshare(CLONE_NEWNS);
+ 	if (err)
+ 		goto out;
+-	err =3D init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);
++	err =3D init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ 	if (err)
+ 		goto out;
+ 	init_chdir("/.."); /* will traverse into overmounted root */
+--=20
+cgit=20
+


hooks/post-receive
--
IPFire 2.x development tree

--===============3745382415910392090==--