X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;ds=inline;f=docs%2F1_Architecture_Guides%2F1.2_Security_Blueprint%2F4_Kernel%2F1.2.4.5_FileSystems.md;fp=docs%2F1_Architecture_Guides%2F1.2_Security_Blueprint%2F4_Kernel%2F1.2.4.5_FileSystems.md;h=0d60d9d3f87320b259642ce74e72118bc4b1e34b;hb=4aad369c9728061c97b3de792286e743ee884b09;hp=0000000000000000000000000000000000000000;hpb=619a7e48085be1538c3b01eb93dcb9dc95bf0436;p=AGL%2Fdocumentation.git diff --git a/docs/1_Architecture_Guides/1.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md b/docs/1_Architecture_Guides/1.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md new file mode 100644 index 0000000..0d60d9d --- /dev/null +++ b/docs/1_Architecture_Guides/1.2_Security_Blueprint/4_Kernel/1.2.4.5_FileSystems.md @@ -0,0 +1,69 @@ +--- +edit_link: '' +title: File Systems +origin_url: >- + https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-4/5-FileSystems.md +--- + + + +# File System + +## Disable all file systems not needed + +To reduce the attack surface, file system data is parsed by the kernel, so any logic bugs in file system drivers can become kernel exploits. + +### Disable NFS file system + +NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them. + + + +Domain | `Config` name | `Value` +------------------------ | --------------- | ------- +Kernel-FileSystems-NFS-1 | `CONFIG_NFSD` | `n` +Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n` + + + +-------------------------------------------------------------------------------- + + + +## Partition Mount Options + +There are several security restrictions that can be set on a filesystem when it is mounted. Some common security options include, but are not limited to: + +`nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take effect. + +`nodev` - Do not interpret character or block special devices on the filesystem. + +`noexec` - Do not allow execution of any binaries on the mounted filesystem. + +`ro` - Mount filesystem as read-only. + +The following flags shall be used for mounting common filesystems: + + + +Domain | `Partition` | `Value` +-------------------------- | ------------------- | ----------------------------------------------------------------- +Kernel-FileSystems-Mount-1 | `/boot` | `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-2 | `/var` & `/tmp` | In `/etc/fstab` or `vfstab`, add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-3 | _Non-root local_ | If type is `ext2` or `ext3` and mount point not '/', add `nodev`. +Kernel-FileSystems-Mount-4 | _Removable storage_ | Add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-5 | _Temporary storage_ | Add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-6 | `/dev/shm` | Add `nosuid`, `nodev` and `noexec`. +Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`. + + + +If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or add a remount with `noexec` and `nosuid` options to system startup. + + + +Domain | `Config` name | _State_ or `Value` +-------------------------- | ----------------------- | ----------------------------------------------------------------------- +Kernel-FileSystems-Mount-1 | `CONFIG_DEVTMPFS_MOUNT` | _Disabled_ or add remount with `noexec` and `nosuid` to system startup. + +