diff --git a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator index d20186de0d..d3c0f46183 100755 --- a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator +++ b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator @@ -35,8 +35,9 @@ fi mk_mount() { local mount_pt="${1}"; shift local label="${1}"; shift - local path="/dev/disk/by-label/${label}" + local options="${1}"; shift + local path="/dev/disk/by-label/${label}" local unit_name=$(systemd-escape -p ${mount_pt} --suffix=mount) eval $(udevadm info --query property --export "${path}") @@ -61,6 +62,7 @@ After=systemd-fsck@${device}.service [Mount] What=${path} Where=${mount_pt} +Options=${options} EOF add_wants "${unit_name}" @@ -71,5 +73,22 @@ EOF # ConditionPathExists won't work here because conditions don't affect # the dependency on the underlying device unit. if [ ! -f /run/ostree-live ]; then - mk_mount /boot boot + # We mount read-only by default mostly to protect + # against accidental damage. Only a few things + # owned by CoreOS should be touching /boot or the ESP. + # Use nodev,nosuid because some hardening guides want + # that even though it's of minimal value. + boot_mount_options=ro,nodev,nosuid + mk_mount /boot boot "${boot_mount_options}" + + # Only mount the EFI System Partition on machines where it exists, + # which are 1) machines actually booted through EFI, and 2) x86_64 + # when booted through BIOS. + if [ "$(uname -m)" = "x86_64" -o -d /sys/firmware/efi ]; then + # In the general case the ESP might have per-machine or private + # data on it. Let's not make it world readable on general + # principle. + # https://github.com/coreos/fedora-coreos-tracker/issues/640 + mk_mount /boot/efi EFI-SYSTEM "${boot_mount_options},umask=0077" + fi fi diff --git a/tests/kola/misc-ro b/tests/kola/misc-ro index 4f2dfdd7f0..241d095bce 100755 --- a/tests/kola/misc-ro +++ b/tests/kola/misc-ro @@ -51,10 +51,15 @@ if ip link | grep -o -e " eth[0-9]:"; then fi ok nic naming -if test -w /sysroot; then - fatal "found writable /sysroot" -fi -ok sysroot ro +for part in /sysroot /boot /boot/efi; do + if ! findmnt -n -o options ${part} | grep -q "ro,"; then + fatal "${part} is missing ro option" + fi + if test -w "${part}" || touch "${part}/somefile" 2>/dev/null; then + fatal "${part} is writable" + fi +done +ok read-only partitions if ! lsattr -d / | grep -qe '--i--'; then fatal "missing immutable bit on /"