fix: tmpfs default permissions

Tmpfs uses shared mamory. The owner of it is system cgroup.
It can be broke the system, put the big file on it.

* set mount options to /tmp, /run folder as many OS have.
* limit /tmp size to 64Mb.

Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>

internal/pkg/mount/pseudo.go

@@ -14,9 +14,9 @@ func PseudoMountPoints() (mountpoints *Points, err error) {
 	pseudo.Set("dev", NewMountPoint("devtmpfs", "/dev", "devtmpfs", unix.MS_NOSUID, "mode=0755"))
 	pseudo.Set("proc", NewMountPoint("proc", "/proc", "proc", unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV, ""))
 	pseudo.Set("sys", NewMountPoint("sysfs", "/sys", "sysfs", 0, ""))
-	pseudo.Set("run", NewMountPoint("tmpfs", "/run", "tmpfs", 0, "mode=755"))
+	pseudo.Set("run", NewMountPoint("tmpfs", "/run", "tmpfs", unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME, "mode=755"))
 	pseudo.Set("system", NewMountPoint("tmpfs", "/system", "tmpfs", 0, "mode=755"))
-	pseudo.Set("tmp", NewMountPoint("tmpfs", "/tmp", "tmpfs", 0, "mode=755"))
+	pseudo.Set("tmp", NewMountPoint("tmpfs", "/tmp", "tmpfs", unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV, "size=64M,mode=755"))
 
 	return pseudo, nil
 }