From e76b3d4ed2d716446f3670d40cfdcbb145cb52d7 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 26 Apr 2023 16:55:42 +0200
Subject: units: restrict hugepages fs a bit

suid binaries and device nodes should not be placed there, hence forbid
it.

Of all the API VFS we mount from PID 1 or via a unit file this one is
the only one where we didn't add MS_NODEV/MS_NOSUID. Let's address that,
since there's really no reason why device nodes or suid binaries would
be placed in hugetlbfs.
---
 units/dev-hugepages.mount | 1 +
 1 file changed, 1 insertion(+)

(limited to 'units')

diff --git a/units/dev-hugepages.mount b/units/dev-hugepages.mount
index 1a34da1285..88cd89d563 100644
--- a/units/dev-hugepages.mount
+++ b/units/dev-hugepages.mount
@@ -21,3 +21,4 @@ ConditionVirtualization=!private-users
 What=hugetlbfs
 Where=/dev/hugepages
 Type=hugetlbfs
+Options=nosuid,nodev
-- 
cgit v1.2.1