| Message ID | 20240708124734.591324-1-clara.kowalsky@siemens.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core,v3,1/2] initramfs-overlay-hook: Add INITRAMFS_OVERLAY_MOUNT_OPTION | expand |
On Mon, 2024-07-08 at 14:47 +0200, Clara Kowalsky wrote: > This allows to set options for the mount of the overlay storage > device. > For security reasons, the mount options nodev, nosuid and noexec are > set. > As /var is not intended to support devices, nodev is set to ensure > that > users cannot create a block or character special devices in /var. > Since /var is only intended for variable files such as logs, nosuid > is > set to ensure that users cannot create setuid files in /var. > Noexec is set to ensure that users cannot run executable binaries. > > Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com> > --- > .../initramfs-overlay-hook/files/overlay.script.tmpl | 2 ++ > .../initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb | 4 > +++- > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-overlay- > hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay- > hook/files/overlay.script.tmpl > index 2563dfd..42eb59c 100644 > --- a/recipes-initramfs/initramfs-overlay- > hook/files/overlay.script.tmpl > +++ b/recipes-initramfs/initramfs-overlay- > hook/files/overlay.script.tmpl > @@ -30,12 +30,14 @@ esac > ovl_partition_device="${INITRAMFS_OVERLAY_STORAGE_DEVICE}" > ovl_storage_path="${INITRAMFS_OVERLAY_STORAGE_PATH}" > ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" > +ovl_mount_option="${INITRAMFS_OVERLAY_MOUNT_OPTION}" > > root_mount_storage=${rootmnt}${ovl_storage_path} > storage_mount_point="$(echo "${ovl_storage_path}" | awk -F/ '{print > FS$2}' )" > > if ! mountpoint -q "${rootmnt}${storage_mount_point}"; then > if ! mount -t $(get_fstype ${ovl_partition_device}) \ > + -o ${ovl_mount_option} \ > ${ovl_partition_device} \ > ${rootmnt}${storage_mount_point}; then > panic "Can't mount ${storage_mount_point} partition - > overlay will not work!" > diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs- > overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay- > hook/initramfs-overlay-hook_0.1.bb > index 2694766..955748f 100644 > --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay- > hook_0.1.bb > +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay- > hook_0.1.bb > @@ -29,11 +29,13 @@ INITRAMFS_OVERLAY_STORAGE_PATH ??= "/var/local" > > # override this to switch to UUID or PARTUUID based mounts > INITRAMFS_OVERLAY_STORAGE_DEVICE ??= "/dev/disk/by-label/var" > +INITRAMFS_OVERLAY_MOUNT_OPTION ??= "defaults,nodev,nosuid,noexec" Hi, did you check if noexec works in combination with docker containers? The container layers are usually placed in /var/lib/docker and contain executables that are executed inside the containers rootfs (assembled using e.g. overlayfs2). If not, we should at least document this in the readme and inform our downstream users. Felix > > TEMPLATE_FILES = "overlay.script.tmpl" > TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ > INITRAMFS_OVERLAY_PATHS \ > - INITRAMFS_OVERLAY_STORAGE_DEVICE" > + INITRAMFS_OVERLAY_STORAGE_DEVICE \ > + INITRAMFS_OVERLAY_MOUNT_OPTION" > > DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux" >
> -----Original Message----- > From: Moessbauer, Felix (T CED OES-DE) <felix.moessbauer@siemens.com> > Sent: Tuesday, July 9, 2024 6:42 PM > To: cip-dev@lists.cip-project.org; Kiszka, Jan (T CED) <jan.kiszka@siemens.com>; > Kowalsky, Clara (T CED OES-DE) <clara.kowalsky@siemens.com> > Cc: Gylstorff, Quirin (T CED OES-DE) <quirin.gylstorff@siemens.com> > Subject: Re: [cip-dev][isar-cip-core][PATCH v3 1/2] initramfs-overlay-hook: Add > INITRAMFS_OVERLAY_MOUNT_OPTION > > On Mon, 2024-07-08 at 14:47 +0200, Clara Kowalsky wrote: > > This allows to set options for the mount of the overlay storage > > device. > > For security reasons, the mount options nodev, nosuid and noexec are > > set. > > As /var is not intended to support devices, nodev is set to ensure > > that users cannot create a block or character special devices in /var. > > Since /var is only intended for variable files such as logs, nosuid is > > set to ensure that users cannot create setuid files in /var. > > Noexec is set to ensure that users cannot run executable binaries. > > > > Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com> > > --- > > .../initramfs-overlay-hook/files/overlay.script.tmpl | 2 ++ > > .../initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb | 4 > > +++- > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/recipes-initramfs/initramfs-overlay- > > hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay- > > hook/files/overlay.script.tmpl > > index 2563dfd..42eb59c 100644 > > --- a/recipes-initramfs/initramfs-overlay- > > hook/files/overlay.script.tmpl > > +++ b/recipes-initramfs/initramfs-overlay- > > hook/files/overlay.script.tmpl > > @@ -30,12 +30,14 @@ esac > > ovl_partition_device="${INITRAMFS_OVERLAY_STORAGE_DEVICE}" > > ovl_storage_path="${INITRAMFS_OVERLAY_STORAGE_PATH}" > > ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" > > +ovl_mount_option="${INITRAMFS_OVERLAY_MOUNT_OPTION}" > > > > root_mount_storage=${rootmnt}${ovl_storage_path} > > storage_mount_point="$(echo "${ovl_storage_path}" | awk -F/ '{print > > FS$2}' )" > > > > if ! mountpoint -q "${rootmnt}${storage_mount_point}"; then > > if ! mount -t $(get_fstype ${ovl_partition_device}) \ > > + -o ${ovl_mount_option} \ > > ${ovl_partition_device} \ > > ${rootmnt}${storage_mount_point}; then > > panic "Can't mount ${storage_mount_point} partition - > > overlay will not work!" > > diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs- > > overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay- > > hook/initramfs-overlay-hook_0.1.bb > > index 2694766..955748f 100644 > > --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay- > > hook_0.1.bb > > +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay- > > hook_0.1.bb > > @@ -29,11 +29,13 @@ INITRAMFS_OVERLAY_STORAGE_PATH ??= "/var/local" > > > > # override this to switch to UUID or PARTUUID based mounts > > INITRAMFS_OVERLAY_STORAGE_DEVICE ??= "/dev/disk/by-label/var" > > +INITRAMFS_OVERLAY_MOUNT_OPTION ??= "defaults,nodev,nosuid,noexec" > > Hi, > > did you check if noexec works in combination with docker containers? > The container layers are usually placed in /var/lib/docker and contain executables > that are executed inside the containers rootfs (assembled using e.g. overlayfs2). > > If not, we should at least document this in the readme and inform our > downstream users. > > Felix Hi, yes, Quirin and I checked that and docker containers are running fine. Clara > > > > > TEMPLATE_FILES = "overlay.script.tmpl" > > TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ > > INITRAMFS_OVERLAY_PATHS \ > > - INITRAMFS_OVERLAY_STORAGE_DEVICE" > > + INITRAMFS_OVERLAY_STORAGE_DEVICE \ > > + INITRAMFS_OVERLAY_MOUNT_OPTION" > > > > DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux" > > > > -- > Siemens AG, Technology > Linux Expert Center >
On 08.07.24 14:47, Clara Kowalsky wrote: > This allows to set options for the mount of the overlay storage device. > For security reasons, the mount options nodev, nosuid and noexec are > set. > As /var is not intended to support devices, nodev is set to ensure that > users cannot create a block or character special devices in /var. > Since /var is only intended for variable files such as logs, nosuid is > set to ensure that users cannot create setuid files in /var. > Noexec is set to ensure that users cannot run executable binaries. > > Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com> > --- > .../initramfs-overlay-hook/files/overlay.script.tmpl | 2 ++ > .../initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb | 4 +++- > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl > index 2563dfd..42eb59c 100644 > --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl > +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl > @@ -30,12 +30,14 @@ esac > ovl_partition_device="${INITRAMFS_OVERLAY_STORAGE_DEVICE}" > ovl_storage_path="${INITRAMFS_OVERLAY_STORAGE_PATH}" > ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" > +ovl_mount_option="${INITRAMFS_OVERLAY_MOUNT_OPTION}" > > root_mount_storage=${rootmnt}${ovl_storage_path} > storage_mount_point="$(echo "${ovl_storage_path}" | awk -F/ '{print FS$2}' )" > > if ! mountpoint -q "${rootmnt}${storage_mount_point}"; then > if ! mount -t $(get_fstype ${ovl_partition_device}) \ > + -o ${ovl_mount_option} \ > ${ovl_partition_device} \ > ${rootmnt}${storage_mount_point}; then > panic "Can't mount ${storage_mount_point} partition - overlay will not work!" > diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb > index 2694766..955748f 100644 > --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb > @@ -29,11 +29,13 @@ INITRAMFS_OVERLAY_STORAGE_PATH ??= "/var/local" > > # override this to switch to UUID or PARTUUID based mounts > INITRAMFS_OVERLAY_STORAGE_DEVICE ??= "/dev/disk/by-label/var" > +INITRAMFS_OVERLAY_MOUNT_OPTION ??= "defaults,nodev,nosuid,noexec" > > TEMPLATE_FILES = "overlay.script.tmpl" > TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ > INITRAMFS_OVERLAY_PATHS \ > - INITRAMFS_OVERLAY_STORAGE_DEVICE" > + INITRAMFS_OVERLAY_STORAGE_DEVICE \ > + INITRAMFS_OVERLAY_MOUNT_OPTION" > > DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux" > Thanks, applied. Jan
diff --git a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl index 2563dfd..42eb59c 100644 --- a/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl +++ b/recipes-initramfs/initramfs-overlay-hook/files/overlay.script.tmpl @@ -30,12 +30,14 @@ esac ovl_partition_device="${INITRAMFS_OVERLAY_STORAGE_DEVICE}" ovl_storage_path="${INITRAMFS_OVERLAY_STORAGE_PATH}" ovl_lower_dirs="${INITRAMFS_OVERLAY_PATHS}" +ovl_mount_option="${INITRAMFS_OVERLAY_MOUNT_OPTION}" root_mount_storage=${rootmnt}${ovl_storage_path} storage_mount_point="$(echo "${ovl_storage_path}" | awk -F/ '{print FS$2}' )" if ! mountpoint -q "${rootmnt}${storage_mount_point}"; then if ! mount -t $(get_fstype ${ovl_partition_device}) \ + -o ${ovl_mount_option} \ ${ovl_partition_device} \ ${rootmnt}${storage_mount_point}; then panic "Can't mount ${storage_mount_point} partition - overlay will not work!" diff --git a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb index 2694766..955748f 100644 --- a/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb +++ b/recipes-initramfs/initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb @@ -29,11 +29,13 @@ INITRAMFS_OVERLAY_STORAGE_PATH ??= "/var/local" # override this to switch to UUID or PARTUUID based mounts INITRAMFS_OVERLAY_STORAGE_DEVICE ??= "/dev/disk/by-label/var" +INITRAMFS_OVERLAY_MOUNT_OPTION ??= "defaults,nodev,nosuid,noexec" TEMPLATE_FILES = "overlay.script.tmpl" TEMPLATE_VARS += " INITRAMFS_OVERLAY_STORAGE_PATH \ INITRAMFS_OVERLAY_PATHS \ - INITRAMFS_OVERLAY_STORAGE_DEVICE" + INITRAMFS_OVERLAY_STORAGE_DEVICE \ + INITRAMFS_OVERLAY_MOUNT_OPTION" DEBIAN_DEPENDS = "initramfs-tools, awk, coreutils, util-linux"
This allows to set options for the mount of the overlay storage device. For security reasons, the mount options nodev, nosuid and noexec are set. As /var is not intended to support devices, nodev is set to ensure that users cannot create a block or character special devices in /var. Since /var is only intended for variable files such as logs, nosuid is set to ensure that users cannot create setuid files in /var. Noexec is set to ensure that users cannot run executable binaries. Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com> --- .../initramfs-overlay-hook/files/overlay.script.tmpl | 2 ++ .../initramfs-overlay-hook/initramfs-overlay-hook_0.1.bb | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-)