enable CONFIG_DEVTMPFS_SAFE
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Use nosuid,noexec mount options on devtmpfs, this allows to provide a bit of extra security by preventing mmapping stuff in /dev with PROT_EXEC or having setuid executables.
[Test case]
If we really want to provide a test case for this...:
$ grep devtmpfs /proc/mounts
We should see nosuid,noexec in the mount options if this change is applied, otherwise we should only see nosuid (or none of the above).
[Fix]
Enable CONFIG_
[Regression potential]
This change can potentially break some drivers that require mmapping /dev/mem with the PROT_EXEC flag (for example non-KSM video drivers, or drivers that need to execute BIOS / firmware code directly from /dev/mem).
However, it'd be nice to see if we still have drivers that are still relying on this dangerous behavior and provide some additional safety measures in the system.
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1974442
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.