Description : set mount options for security policy

For /tmp, /run/user/%U, /dev/shm directoreis, set noexec,nosuid,nodev as
mount option.

Change-Id: I07d918d9cb81642fc0d0b9c3f9a64db4c571ef58
Signed-off-by: Woochang Kim <wchang.kim@samsung.com>

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 1365d0e..a388923 100644 (file)
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -82,10 +82,10 @@ static const MountPoint mount_table[] = {
 #ifdef HAVE_SMACK
         { "smackfs",     "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*",            MS_NOSUID|MS_NOEXEC|MS_NODEV,
           mac_smack_use, MNT_FATAL                  },
-        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME|MS_NOEXEC,
           mac_smack_use, MNT_FATAL                  },
 #else
-        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777",               MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/dev/shm",                  "tmpfs",      "mode=1777",               MS_NOSUID|MS_NODEV|MS_STRICTATIME|MS_NOEXEC,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
 #endif
         { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,

diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4
index d1f61dc..3342a16 100644 (file)
--- a/units/tmp.mount.m4
+++ b/units/tmp.mount.m4
@@ -20,5 +20,5 @@ What=tmpfs
 Where=/tmp
 Type=tmpfs
 m4_ifdef(`HAVE_SMACK',
-`Options=mode=1777,strictatime,smackfsroot=*,nosuid,noexec',
-`Options=mode=1777,strictatime,nosuid,noexec')
+`Options=mode=1777,strictatime,smackfsroot=*,nosuid,noexec,nodev',
+`Options=mode=1777,strictatime,nosuid,noexec,nodev')