Various mount options have changed in Core Update 169

  Hello *,

while pre-testing Core Update 169, it came to my attention that, for some reason,
various mount options have changed since Core Update 168, lacking options such as
"nodev", "noexec", "nosuid", which means a security downgrade.

The complete delta is as follows:

$ diff -Naur before after

I cannot recall of having this explicitly changed anywhere, and don't understand
the root cause for this (unwanted) change. Could somebody please point me into the
right direction? :-)

Thanks in advance, and best regards,
Peter Müller
  

Hello,

I suppose this is coming from changing dracut.

Unless I am reading your diff wrong, those options have been added which is a good thing?!

-Michael

> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello *,
> 
> while pre-testing Core Update 169, it came to my attention that, for some reason,
> various mount options have changed since Core Update 168, lacking options such as
> "nodev", "noexec", "nosuid", which means a security downgrade.
> 
> The complete delta is as follows:
> 
> $ diff -Naur before after
> --- before	2022-06-20 20:04:32.436632074 +0000
> +++ after	2022-06-20 20:04:34.500401575 +0000
> @@ -1,12 +1,12 @@
> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
> /dev/sda1 on /boot type ext4 (rw,relatime)
> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
> /dev/sda4 on / type ext4 (rw,relatime)
> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755)
> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755)
> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime)
> none on /sys/fs/cgroup type cgroup2 (rw,relatime)
> -/proc on /proc type proc (rw,relatime)
> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755)
> -/sys on /sys type sysfs (rw,relatime)
> -tmpfs on /dev/shm type tmpfs (rw,relatime)
> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755)
> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k)
> 
> I cannot recall of having this explicitly changed anywhere, and don't understand
> the root cause for this (unwanted) change. Could somebody please point me into the
> right direction? :-)
> 
> Thanks in advance, and best regards,
> Peter Müller
  

Hello Michael,

thanks for your reply.

> Hello,
> 
> I suppose this is coming from changing dracut.

As discussed on the phone already, I don't think dracut is the root cause here, since
the mount options are fine on systems running Core Update 168. Some change in Core Update
169 caused this issue.

> Unless I am reading your diff wrong, those options have been added which is a good thing?!

No, it is the other way round. Silly me screwed up the diff. :-/

Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for
/dev. I searched and was unable to find any component where /dev is (re)mounted in the way
it is shown in the output of "mount".

Do you have any ideas?

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
>> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Hello *,
>>
>> while pre-testing Core Update 169, it came to my attention that, for some reason,
>> various mount options have changed since Core Update 168, lacking options such as
>> "nodev", "noexec", "nosuid", which means a security downgrade.
>>
>> The complete delta is as follows:
>>
>> $ diff -Naur before after
>> --- before	2022-06-20 20:04:32.436632074 +0000
>> +++ after	2022-06-20 20:04:34.500401575 +0000
>> @@ -1,12 +1,12 @@
>> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
>> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
>> /dev/sda1 on /boot type ext4 (rw,relatime)
>> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
>> /dev/sda4 on / type ext4 (rw,relatime)
>> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755)
>> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755)
>> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime)
>> none on /sys/fs/cgroup type cgroup2 (rw,relatime)
>> -/proc on /proc type proc (rw,relatime)
>> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755)
>> -/sys on /sys type sysfs (rw,relatime)
>> -tmpfs on /dev/shm type tmpfs (rw,relatime)
>> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
>> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
>> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
>> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755)
>> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k)
>>
>> I cannot recall of having this explicitly changed anywhere, and don't understand
>> the root cause for this (unwanted) change. Could somebody please point me into the
>> right direction? :-)
>>
>> Thanks in advance, and best regards,
>> Peter Müller
>
  

Hello,

> On 22 Jun 2022, at 19:02, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
>> Hello,
>> 
>> I suppose this is coming from changing dracut.
> 
> As discussed on the phone already, I don't think dracut is the root cause here, since
> the mount options are fine on systems running Core Update 168. Some change in Core Update
> 169 caused this issue.

Okay. Could we please find out what has been causing this?

This is a change I would definitely care about and things like this should not just change.

> 
>> Unless I am reading your diff wrong, those options have been added which is a good thing?!
> 
> No, it is the other way round. Silly me screwed up the diff. :-/
> 
> Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for
> /dev. I searched and was unable to find any component where /dev is (re)mounted in the way
> it is shown in the output of "mount".
> 
> Do you have any ideas?
> 
> Thanks, and best regards,
> Peter Müller
> 
>> 
>> -Michael
>> 
>>> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> Hello *,
>>> 
>>> while pre-testing Core Update 169, it came to my attention that, for some reason,
>>> various mount options have changed since Core Update 168, lacking options such as
>>> "nodev", "noexec", "nosuid", which means a security downgrade.
>>> 
>>> The complete delta is as follows:
>>> 
>>> $ diff -Naur before after
>>> --- before	2022-06-20 20:04:32.436632074 +0000
>>> +++ after	2022-06-20 20:04:34.500401575 +0000
>>> @@ -1,12 +1,12 @@
>>> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
>>> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
>>> /dev/sda1 on /boot type ext4 (rw,relatime)
>>> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
>>> /dev/sda4 on / type ext4 (rw,relatime)
>>> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755)
>>> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755)
>>> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime)
>>> none on /sys/fs/cgroup type cgroup2 (rw,relatime)
>>> -/proc on /proc type proc (rw,relatime)
>>> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755)
>>> -/sys on /sys type sysfs (rw,relatime)
>>> -tmpfs on /dev/shm type tmpfs (rw,relatime)
>>> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
>>> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
>>> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
>>> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755)
>>> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k)
>>> 
>>> I cannot recall of having this explicitly changed anywhere, and don't understand
>>> the root cause for this (unwanted) change. Could somebody please point me into the
>>> right direction? :-)
>>> 
>>> Thanks in advance, and best regards,
>>> Peter Müller
>>
  

Hello Michael,

> Hello,
> 
>> On 22 Jun 2022, at 19:02, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Hello Michael,
>>
>> thanks for your reply.
>>
>>> Hello,
>>>
>>> I suppose this is coming from changing dracut.
>>
>> As discussed on the phone already, I don't think dracut is the root cause here, since
>> the mount options are fine on systems running Core Update 168. Some change in Core Update
>> 169 caused this issue.
> 
> Okay. Could we please find out what has been causing this?

I am unfortunately out of ideas and need help here - see also the issue of /dev which is still
not fixed since I do not know where to look at. There is a mount call in /usr/lib/dracut/modules.d/99base/init.sh
with the proper options, but it either is not conducted at all during boot, or the mount options
get overwritten at a later point.

Sorry for the hassle.

> This is a change I would definitely care about and things like this should not just change.

Full ACK.

> 
>>
>>> Unless I am reading your diff wrong, those options have been added which is a good thing?!
>>
>> No, it is the other way round. Silly me screwed up the diff. :-/
>>
>> Anyway, commit 54bd60b67b477e5d5814293a74086dff1c21ac69 addresses all of them except for
>> /dev. I searched and was unable to find any component where /dev is (re)mounted in the way
>> it is shown in the output of "mount".

^^^

Thanks, and best regards,
Peter Müller

>>
>> Do you have any ideas?
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>>
>>> -Michael
>>>
>>>> On 20 Jun 2022, at 21:34, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>>
>>>> Hello *,
>>>>
>>>> while pre-testing Core Update 169, it came to my attention that, for some reason,
>>>> various mount options have changed since Core Update 168, lacking options such as
>>>> "nodev", "noexec", "nosuid", which means a security downgrade.
>>>>
>>>> The complete delta is as follows:
>>>>
>>>> $ diff -Naur before after
>>>> --- before	2022-06-20 20:04:32.436632074 +0000
>>>> +++ after	2022-06-20 20:04:34.500401575 +0000
>>>> @@ -1,12 +1,12 @@
>>>> -devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
>>>> +devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
>>>> /dev/sda1 on /boot type ext4 (rw,relatime)
>>>> /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
>>>> /dev/sda4 on / type ext4 (rw,relatime)
>>>> -devtmpfs on /dev type devtmpfs (rw,relatime,size=1963708k,nr_inodes=490927,mode=755)
>>>> +devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=1949992k,nr_inodes=487498,mode=755)
>>>> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,relatime)
>>>> none on /sys/fs/cgroup type cgroup2 (rw,relatime)
>>>> -/proc on /proc type proc (rw,relatime)
>>>> -/run on /run type tmpfs (rw,nosuid,nodev,relatime,size=8192k,mode=755)
>>>> -/sys on /sys type sysfs (rw,relatime)
>>>> -tmpfs on /dev/shm type tmpfs (rw,relatime)
>>>> +proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
>>>> +sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
>>>> +tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
>>>> +tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755)
>>>> /var/lock on /var/lock type tmpfs (rw,nosuid,nodev,relatime,size=8192k)
>>>>
>>>> I cannot recall of having this explicitly changed anywhere, and don't understand
>>>> the root cause for this (unwanted) change. Could somebody please point me into the
>>>> right direction? :-)
>>>>
>>>> Thanks in advance, and best regards,
>>>> Peter Müller
>>>
>