Change /dev to be mounted by default with /noexec #725
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
@mrunalp PTAL |
Contributor
Author
|
@runtime-tools-maintainers PTAL |
Contributor
Author
|
@ caniszczyk, @crosbymichael, @dqminh, @hqhq, @liangchenye, @Mashimiao, @mrunalp, @tianon, @vbatts,@vishh, @zhouhao3 PTAL |
Contributor
Author
|
For what it is worth, I ran this change through Podman's test suite with no failures. |
tianon
approved these changes
Sep 24, 2021
Member
tianon
left a comment
tianon
left a comment
There was a problem hiding this comment.
LGTM, although I'm not sure whether many other projects are using this particular code? (I believe runc, containerd, etc all have their own versions of this)
Contributor
Author
|
Well it is used in Podman, Buildah, CRI-O. |
Contributor
|
LGTM |
Member
|
bah, Travis needs to be removed and switched to GitHub actions |
|
@caniszczyk ^ |
Contributor
Contributor
|
Let's merge this one only after #728 so we have CI. |
Contributor
|
@rhatdan can you please rebase? This repo has CI now :) |
Podman had an issue, where someone was attemptig to mount all tmpfs within the container as noexec. They were able to get most of it done but "/dev", because it was done down in the runtime spec. I can think of no reason why "/dev", should not be mounted with noexec especially within a container. I know it is not mounted by default in Fedora that way, but I do not know why. Debian looks like it has made the change, and only one bug a couple of years ago showed issues, which would not apply to containers. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940171 Anyways this would make containers "slightly" more secure, and I think it is worth doing. Signed-off-by: Daniel J Walsh <[email protected]>
vbatts
approved these changes
Oct 22, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Podman had an issue, where someone was attemptig to mount all tmpfs
within the container as noexec. They were able to get most of it done
but "/dev", because it was done down in the runtime spec.
I can think of no reason why "/dev", should not be mounted with noexec
especially within a container. I know it is not mounted by default in
Fedora that way, but I do not know why.
Debian looks like it has made the change, and only one bug a couple of
years ago showed issues, which would not apply to containers.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940171
Anyways this would make containers "slightly" more secure, and I think it
is worth doing.
Signed-off-by: Daniel J Walsh [email protected]