From patchwork Wed Jul 13 19:46:38 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5746
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Ljp6S4kb6z3wjd
	for <patchwork@web04.haj.ipfire.org>; Wed, 13 Jul 2022 19:46:56 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Ljp6P6fJ9zq2;
	Wed, 13 Jul 2022 19:46:53 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Ljp6P6113z2y2L;
	Wed, 13 Jul 2022 19:46:53 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Ljp6N3cDtz2xPW
 for <development@lists.ipfire.org>; Wed, 13 Jul 2022 19:46:52 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Ljp6M3D6zzRM
 for <development@lists.ipfire.org>; Wed, 13 Jul 2022 19:46:51 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1657741612;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=ISWd7BTVh44Oo0qidIYSG01Ed+VVbd6Z52iXNkXuxHw=;
 b=esbA7MMAe6H73spBEDZdAVfwlWw+LphVYPp+jBq1Wos+cvKsszsOA+n4uMPItEawBujH+3
 85XmrRdz8SK0yiBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1657741612;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=ISWd7BTVh44Oo0qidIYSG01Ed+VVbd6Z52iXNkXuxHw=;
 b=g2aTIaJfg+N8KekcTRKkAWrrr02R1R2PhrpF4b52yoAG/HsBwZadStudEAzlN88d6N/Vtt
 Qj9X+GjwaeFpuG1pof1YRCKTH3OsdJtys1KurvKnomE/29K+8Xgu3ueN6DawV7YwUHV4I0
 6QkW9lDGUOcNLlP6PeNTe7Z739g/mHfiMFApZE8O6iIBQA6KUZPTuX46k7f/WfmCTsDdAu
 Goj7Wl4OfP+8BvztXuX1ifcNPCZYpIHrXTsLijadcYmRDVKVLVhKa2lU3DhZv7WAnYB0Yv
 a1YhgX7u8Tb9j7rWN6Wz+pBs9O6GJF+I9T0lSpzJs2bMcg72YXALNJtZbjNEyA==
Message-ID: <f0374b07-323d-2796-7eac-f48a09a84bbc@ipfire.org>
Date: Wed, 13 Jul 2022 19:46:38 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH v2] Core Update 170: Harden mount options of /boot on existing
 installations
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

The second version of this patch uses @ instead of / for sed delimiters,
which makes the command less hard to read. Since Core Update 170 already
requires a reboot at this point, the respective directive is omitted.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/core/170/update.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
index 7dde03060..78a4709bc 100644
--- a/config/rootfiles/core/170/update.sh
+++ b/config/rootfiles/core/170/update.sh
@@ -110,6 +110,9 @@ chown nobody:nobody /var/lib/ipblocklist
 # Start services
 /etc/init.d/rc.d/unbound start
 
+# Harden mount options of /boot
+sed -e -i "s@[[:space:]]*\/boot[[:space:]]*auto[[:space:]]*defaults[[:space:]]*@ \/boot    auto defaults,nodev,noexec,nosuid   @g" /etc/fstab
+
 # This update needs a reboot...
 touch /var/run/need_reboot