Skip to content

bootloader: Mount the ESP with restricted fmask+dmask #1691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

bootloader: Mount the ESP with restricted fmask+dmask #1691

wants to merge 1 commit into from
+25 −14

Conversation

cgwalters
Copy link
Collaborator

This avoids warnings from bootctl install for good reasons. Visible from bootc install using systemd-boot.

@cgwalters
bootloader: Mount the ESP with restricted fmask+dmask
e84449e 
This avoids warnings from `bootctl install` for good reasons.
Visible from `bootc install` using systemd-boot.

Signed-off-by: Colin Walters <walters@verbum.org>
@bootc-bot bootc-bot bot requested a review from henrywang October 19, 2025 18:13
@cgwalters cgwalters enabled auto-merge (rebase) October 19, 2025 18:14
gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 19, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a significant improvement by mounting the EFI System Partition (ESP) with more restrictive permissions (fmask=0177, dmask=0077) and security flags (noexec, nosuid). This change effectively hardens the system by limiting access to the ESP, which helps prevent unauthorized modifications and resolves warnings from bootctl. The implementation is well-executed through refactoring. A new mount_esp helper function neatly encapsulates the ESP mounting logic, which is then used consistently across the codebase, improving maintainability. Furthermore, the underlying TempMount::mount_dev function has been enhanced to be more generic and now uses a direct rustix syscall for mounting instead of shelling out to the mount command, which is a great improvement for robustness and performance. Overall, the changes are clean, well-motivated, and represent a solid step forward for the project's security and code quality.

@cgwalters cgwalters mentioned this pull request Oct 20, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henrywang henrywang Awaiting requested review from henrywang

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cgwalters