mount-setup: make /dev noexec

/dev used to be mounted with "exec" flag due to /dev/MAKEDEV script but that's history and it's now located in /sbin. mmap() with file descriptor to "/dev/zero" (instead of modern mmap(,,,MAP_ANON...)) will still work.
2020-03-07 21:19:09 +02:00 · 2020-03-07 21:19:09 +02:00 · 3b5b6826aa
parent e9cdcbed77
commit 3b5b6826aa
1 changed files with 1 additions and 1 deletions
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -64,7 +64,7 @@ static const MountPoint mount_table[] = {
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "proc",        "/proc",                     "proc",       NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_STRICTATIME,
+        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
          NULL,          MNT_FATAL|MNT_IN_CONTAINER },
        { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,          MNT_NONE                   },