--- /usr/share/initramfs-tools/init_orig	2015-08-18 08:38:12.000000000 +0000
+++ /usr/share/initramfs-tools/init	2015-09-13 13:54:12.742506063 +0000
@@ -19,9 +19,9 @@
 
 # Note that this only becomes /dev on the real filesystem if udev's scripts
 # are used; which they will be, but it's worth pointing out
-if ! mount -t devtmpfs -o mode=0755 udev /dev; then
+if ! mount -t devtmpfs -o nosuid,noexec,mode=0755 udev /dev; then
 	echo "W: devtmpfs not available, falling back to tmpfs for /dev"
-	mount -t tmpfs -o mode=0755 udev /dev
+	mount -t tmpfs -o nosuid,noexec,mode=0755 udev /dev
 	[ -e /dev/console ] || mknod -m 0600 /dev/console c 5 1
 	[ -e /dev/null ] || mknod /dev/null c 1 3
 fi