aboutsummaryrefslogtreecommitdiffstats
path: root/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md')
-rw-r--r--docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md22
1 files changed, 12 insertions, 10 deletions
diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md
index 0d60d9d..14f8c53 100644
--- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md
+++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md
@@ -1,21 +1,19 @@
---
-edit_link: ''
title: File Systems
-origin_url: >-
- https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-4/5-FileSystems.md
---
-<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml -->
-
# File System
## Disable all file systems not needed
-To reduce the attack surface, file system data is parsed by the kernel, so any logic bugs in file system drivers can become kernel exploits.
+To reduce the attack surface, file system data is parsed by the kernel, so any
+logic bugs in file system drivers can become kernel exploits.
### Disable NFS file system
-NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them.
+NFS FileSystems are useful during development phases, but this can be a very
+helpful way for an attacker to get files when you are in production mode, so we
+must disable them.
<!-- section-config -->
@@ -32,9 +30,11 @@ Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n`
## Partition Mount Options
-There are several security restrictions that can be set on a filesystem when it is mounted. Some common security options include, but are not limited to:
+There are several security restrictions that can be set on a filesystem when it
+is mounted. Some common security options include, but are not limited to:
-`nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take effect.
+`nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take
+effect.
`nodev` - Do not interpret character or block special devices on the filesystem.
@@ -58,7 +58,9 @@ Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`.
<!-- end-section-config --> <!-- section-note -->
-If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or add a remount with `noexec` and `nosuid` options to system startup.
+If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not
+apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or
+add a remount with `noexec` and `nosuid` options to system startup.
<!-- end-section-note --> <!-- section-config -->