Public bug reported:
[Impact]
Use nosuid,noexec mount options on devtmpfs, this allows to provide a
bit of extra security by preventing mmapping stuff in /dev with
PROT_EXEC or having setuid executables.
[Test case]
If we really want to provide a test case for this...:
$ grep devtmpfs /proc/mounts
We should see nosuid,noexec in the mount options if this change is
applied, otherwise we should only see nosuid (or none of the above).
[Fix]
Enable CONFIG_DEVTMPFS_SAFE.
[Regression potential]
This change can potentially break some drivers that require mmapping
/dev/mem with the PROT_EXEC flag (for example non-KSM video drivers, or
drivers that need to execute BIOS / firmware code directly from
/dev/mem).
However, it'd be nice to see if we still have drivers that are still
relying on this dangerous behavior and provide some additional safety
measures in the system.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1974442
Title:
enable CONFIG_DEVTMPFS_SAFE
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1974442/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
