Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cilium, contrib: tighten permissions on systemd bpffs mount unit file #10805

Merged
merged 1 commit into from
Apr 1, 2020
Merged

cilium, contrib: tighten permissions on systemd bpffs mount unit file #10805

merged 1 commit into from
Apr 1, 2020

Conversation

borkmann
Copy link
Member

@borkmann borkmann commented Apr 1, 2020

Given bpf fs wasn't mounted before, then mount it with stricter
permissions than the default ones (777). Also add few other options
as discussed in #10793 such as nosuid,nodev,noexec though at least
from bpf fs side these are ignored.

Fixes: #10793
Reported-by: Travis Glenn Hansen travisghansen@yahoo.com
Signed-off-by: Daniel Borkmann daniel@iogearbox.net

@borkmann
cilium, contrib: tighten permissions on systemd bpffs mount unit file
5f78339 
Given bpf fs wasn't mounted before, then mount it with stricter
permissions than the default ones (777). Also add few other options
as discussed in #10793 such as `nosuid,nodev,noexec` though at least
from bpf fs side these are ignored.

Fixes: #10793
Reported-by: Travis Glenn Hansen <travisghansen@yahoo.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann added pending-review area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. release-note/misc This PR makes changes that have no direct user impact. labels Apr 1, 2020
@borkmann borkmann requested review from a team as code owners April 1, 2020 13:44
@borkmann borkmann requested a review from a team April 1, 2020 13:44
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.8.0 Apr 1, 2020
@borkmann
Copy link
Member Author

borkmann commented Apr 1, 2020

test-me-please

@borkmann
Copy link
Member Author

borkmann commented Apr 1, 2020

test-docs-please

@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.7.2 Apr 1, 2020
@coveralls
Copy link

Coverage Status

Coverage increased (+0.04%) to 45.527% when pulling 5f78339 on pr/systemd-mount-perms into 09eebce on master.

@borkmann
Copy link
Member Author

borkmann commented Apr 1, 2020

test-me-please

@borkmann borkmann merged commit 95529fb into master Apr 1, 2020
1.8.0 automation moved this from In progress to Merged Apr 1, 2020
@borkmann borkmann deleted the pr/systemd-mount-perms branch April 1, 2020 17:01
@joestringer joestringer mentioned this pull request Apr 1, 2020
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.7 in 1.7.2 Apr 1, 2020
@joestringer joestringer moved this from Backport pending to v1.7 to Backport done to v1.7 in 1.7.2 Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tklauser tklauser tklauser approved these changes

@joestringer joestringer Awaiting requested review from joestringer

@aanm aanm Awaiting requested review from aanm

@qmonnet qmonnet Awaiting requested review from qmonnet

Assignees
No one assigned
Labels
area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.7.2
Backport done to v1.7
1.8.0
  
Merged
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

update systemd bpf mount unit file to be more secure
4 participants
@borkmann @coveralls @tklauser @joestringer