base-filesystem: create /proc, /sys, /dev mount points as 0555

These inodes are going to be overmounted anyway, hence let's create them
with access mode 555, so that they are as close to being immutable as
regular UNIX access modes allow them to be. In other words: this takes
the "w" mode away for root. This of course usually has little effect --
unless CAP_DAC_OVERRIDE is dropped. But at the very least it makes the
point clear that inodes should be considered immutable.

(I intended to make this 0000 originally, but that doesn't work, as many
tools – including our own – have fallback paths that when they see
ENOENT in /proc/ they can handle this gracefully. But changing the mode
to 000 would turn this to EACCES - something they usually have no
fallback path for)

1 files changed, 3 insertions, 3 deletions

diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
index 5890f30383..f2161041c8 100644
--- a/src/shared/base-filesystem.c
+++ b/src/shared/base-filesystem.c
@@ -36,9 +36,9 @@ static const BaseFilesystem table[] = {
         { "usr",   0755, NULL,                         NULL },
         { "var",   0755, NULL,                         NULL },
         { "etc",   0755, NULL,                         NULL },
-        { "proc",  0755, NULL,                         NULL, true },
-        { "sys",   0755, NULL,                         NULL, true },
-        { "dev",   0755, NULL,                         NULL, true },
+        { "proc",  0555, NULL,                         NULL, true },
+        { "sys",   0555, NULL,                         NULL, true },
+        { "dev",   0555, NULL,                         NULL, true },
 
         /* Various architecture ABIs define the path to the dynamic loader via the /lib64/ subdirectory of
          * the root directory. When booting from an otherwise empty root file system (where only /usr/ has