From fee6d0a3a6ad4e43a27460ca466617d1adb7f045 Mon Sep 17 00:00:00 2001 From: Sergey Bugaev Date: Sun, 12 Jan 2020 19:40:50 +0300 Subject: [PATCH] Kernel+Base: Mount root as nodev,nosuid Then bind-mount /dev and /bin while adding back the appropriate permissions :^) --- Base/etc/fstab | 8 +++++++- Kernel/FileSystem/VirtualFileSystem.cpp | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Base/etc/fstab b/Base/etc/fstab index 6bf8c7d8b61..08b414ddec3 100644 --- a/Base/etc/fstab +++ b/Base/etc/fstab @@ -1,4 +1,10 @@ -/dev/hda / ext2 +# Root file system. This is a fake entry which gets ignored by `mount -a`; +# the actual logic for mounting root is in the kernel. +/dev/hda / ext2 nodev,nosuid +# Remount /bin and /dev while adding the appropriate permissions. +/dev /dev bind bind,nosuid +/bin /bin bind bind,nodev + proc /proc proc nosuid devpts /dev/pts devpts noexec,nosuid tmp /tmp tmp nodev,nosuid diff --git a/Kernel/FileSystem/VirtualFileSystem.cpp b/Kernel/FileSystem/VirtualFileSystem.cpp index af91c3d21e9..c402a163831 100644 --- a/Kernel/FileSystem/VirtualFileSystem.cpp +++ b/Kernel/FileSystem/VirtualFileSystem.cpp @@ -89,7 +89,7 @@ bool VFS::mount_root(FS& file_system) return false; } - Mount mount { file_system, nullptr, 0 }; + Mount mount { file_system, nullptr, MS_NODEV | MS_NOSUID }; auto root_inode_id = mount.guest().fs()->root_inode(); auto root_inode = mount.guest().fs()->get_inode(root_inode_id); @@ -668,7 +668,7 @@ void VFS::sync() Custody& VFS::root_custody() { if (!m_root_custody) - m_root_custody = Custody::create(nullptr, "", *m_root_inode, 0); + m_root_custody = Custody::create(nullptr, "", *m_root_inode, MS_NODEV | MS_NOSUID); return *m_root_custody; }