diff options
author | Shankho Boron Ghosh <shankhoghosh123@gmail.com> | 2020-10-30 10:23:28 +0530 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-11-13 12:52:48 +0000 |
commit | b925cccc60a97d3592330cebe6b4e17e6889e3bf (patch) | |
tree | 98084cf6c07c1849357fdf6940fda0a20ab27165 /docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md | |
parent | 29251f313842f7e642cf81f2fd24c4f92359a4ea (diff) |
Added [in-progress] Developer Guides
Updated mkdocs.yml, README.md.
Text wrap markdowns at 80.
Cherry-pick from master
Bug-AGL: [SPEC-3633]
Signed-off-by: Shankho Boron Ghosh <shankhoghosh123@gmail.com>
Change-Id: I2d7b43cb870e97786d3eb101c60a2071cc50f0be
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/documentation/+/25498
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/documentation/+/25546
Diffstat (limited to 'docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md')
-rw-r--r-- | docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md index 0d60d9d..14f8c53 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md @@ -1,21 +1,19 @@ --- -edit_link: '' title: File Systems -origin_url: >- - https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-4/5-FileSystems.md --- -<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> - # File System ## Disable all file systems not needed -To reduce the attack surface, file system data is parsed by the kernel, so any logic bugs in file system drivers can become kernel exploits. +To reduce the attack surface, file system data is parsed by the kernel, so any +logic bugs in file system drivers can become kernel exploits. ### Disable NFS file system -NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them. +NFS FileSystems are useful during development phases, but this can be a very +helpful way for an attacker to get files when you are in production mode, so we +must disable them. <!-- section-config --> @@ -32,9 +30,11 @@ Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n` ## Partition Mount Options -There are several security restrictions that can be set on a filesystem when it is mounted. Some common security options include, but are not limited to: +There are several security restrictions that can be set on a filesystem when it +is mounted. Some common security options include, but are not limited to: -`nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take effect. +`nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take +effect. `nodev` - Do not interpret character or block special devices on the filesystem. @@ -58,7 +58,9 @@ Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`. <!-- end-section-config --> <!-- section-note --> -If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or add a remount with `noexec` and `nosuid` options to system startup. +If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not +apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or +add a remount with `noexec` and `nosuid` options to system startup. <!-- end-section-note --> <!-- section-config --> |