** Changed in: systemd (Ubuntu)
Assignee: cristian swing (sed1991s) => (unassigned)
** Changed in: systemd (Ubuntu Focal)
Assignee: cristian swing (sed1991s) => (unassigned)
** Changed in: systemd (Ubuntu Jammy)
Assignee: cristian swing (sed1991s) => (unassigned)
** Changed in:
These metadata edits on this bug and a few others look spammy to me.
Taking the appropriate action now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1991975
Title:
dev
I'm not too sure if updates from sed1991s above are correct
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1991975
Title:
dev file system is mounted without nosuid or
** Changed in: linux (Ubuntu Focal)
Status: In Progress => Fix Released
** Changed in: linux (Ubuntu Jammy)
Status: In Progress => Fix Released
** Changed in: systemd (Ubuntu Focal)
Status: Invalid => Fix Released
** Changed in: systemd (Ubuntu Jammy)
Status: Invalid
So where are we on this folks?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1991975
Title:
dev file system is mounted without nosuid or noexec
Status in linux package
Just a heads-up that SGX has been deprecated by Intel:
https://edc.intel.com/content/www/us/en/design/ipla/software-
development-platforms/client/platforms/alder-lake-desktop/12th-
generation-intel-core-processors-datasheet-volume-1-of-2/004/deprecated-
technologies/
===
The processor has
initramfs-tools also mounts /dev with nosuid, without noexec
> mount -t devtmpfs -o nosuid,mode=0755 udev /dev
I believe all of these should be the same, thus kernel can mount /dev
with nosuid, but should not mount it with noexec.
--
You received this bug notification because you are a member
Alright so that means we either need to push a change to remove noexec
from the kernel init code, or we go ahead with noexec, and give people
on option to remount with exec should they want sgx functionality. I do
think the nosuid flag does still provide some benefit even if we decide
not to
FWIW upstream systemd removed the MS_NOEXEC flag from /dev in
https://github.com/systemd/systemd/commit/4eb105fa4aae30566d23382e8c9430eddf1a3dd4.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
./src/nspawn/nspawn-mount.c missing NO_EXEC on /dev
./src/shared/mount-setup.c missing NO_EXEC on /dev
when booting containers
** Changed in: systemd (Ubuntu)
Status: Invalid => New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
./src/nspawn/nspawn-mount.c missing NO_EXEC on /dev
./src/shared/mount-setup.c missing NO_EXEC on /dev
when booting containers
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
Setting the systemd bug task to "Invalid", as this is being handled in
the kernel.
** Changed in: systemd (Ubuntu)
Status: Confirmed => Invalid
** Changed in: systemd (Ubuntu Focal)
Status: Confirmed => Invalid
** Changed in: systemd (Ubuntu Jammy)
Status: Confirmed =>
** Changed in: linux (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Focal)
Status: Confirmed => In Progress
** Changed in: linux (Ubuntu Focal)
Assignee: (unassigned) => Dave Chiluk (chiluk)
** Changed in: linux (Ubuntu Jammy)
Importance: Undecided
In case anyone is curious conversation is on-going on the kernel-team mailing
list
https://lists.ubuntu.com/archives/kernel-team/2022-October/133764.html
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
@juliank please test initrd-less boot; for example lxc launch --vm which
uses linux-kvm flavour booted without initrd.
There are differences of the mount options as applied by initramfs-
tools; systemd; and kernel itself.
--
You received this bug notification because you are a member of Ubuntu
@juliank, is this an aws system? If not there's a good chance that you
are using an initramfs to mount the filesystems. That's definited in
either /etc/init.d/udev or directly out of the init that lives in the
initramfs.
--
You received this bug notification because you are a member of Ubuntu
On my kinetic system, /dev has nosuid, but no noexec.
** Tags added: foundations-triage-discuss
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1991975
Title:
dev file
Here is a workaround for this issue in case anyone finds this in the
future.
Copy remount_dev.service to /etc/systemd/system
sudo chown root:root /etc/systemd/system/remount_dev.service
sudo systemctl daemon-reload
sudo systemctl enable remount_dev.service
Still I think the kernel patch should
** Information type changed from Private Security to Public Security
** Summary changed:
- dev file system is mounted without nosuid
+ dev file system is mounted without nosuid or noexec
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
** Description changed:
+ [ SRU TEMPLATE ]
+ [ Impact ]
+
+ * nosuid, and noexec bits are not set on /dev
+ * This has the potential for nefarious actors to use this as an avenue for
attack. see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for more
discussion around this.
+ *
** Changed in: linux (Ubuntu Jammy)
Status: New => Confirmed
** Changed in: systemd (Ubuntu Jammy)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Jammy)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in
Looks like Kees already found this years ago.
https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/
Looks like it was accepted as commit 28f0c335dd4a1 in 5.17. So I think
we should apply this patch and the corresponding set
CONFIG_DEVTMPFS_SAFE=y at least for the
I can confirm the issue on an *old* GCP instance:
$ mount | grep devtmp
devtmpfs on /dev type devtmpfs
(rw,relatime,size=490260k,nr_inodes=122565,mode=755,inode64)
$ cat /etc/cloud/build.info
build_name: server
serial: 20200902
$ uname -a
Linux mx1 5.15.0-1018-gcp #24~20.04.1-Ubuntu SMP Mon
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: systemd (Ubuntu Focal)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: linux (Ubuntu Focal)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: systemd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
I was hoping to work around this in /etc/init.d/udev, but it looks like that
gets redirected to systemctl via
. lib/lsb/init-functions
** Description changed:
This is similar to
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 but new.
I discovered that my ec2 instances
So far I've only tested focal AWS images, but this may likely exist
elsewhere as well.
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1991975
Title:
dev file system is mounted
I suspect this is something to do with initrd-less boot: it's usually
the initramfs which mounts /dev:
https://git.launchpad.net/ubuntu/+source/initramfs-tools/tree/init#n40
The comment above that line is:
# Note that this only becomes /dev on the real filesystem if udev's scripts
# are used;
31 matches
Mail list logo
