Closed
Bug 761265
Opened 12 years ago
Closed 12 years ago
Default mount hardening
Categories
(Firefox OS Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: kang, Unassigned)
Details
Default mounts should be tighter, especially that we do not need permissions as wide (or as many mounts) as Android requires. (note: those mounts options are not currently required for the recovery mode, defaults are fine) This reduces the attack surface at the file system level. The proposed minimum mounts and their options are documented at https://wiki.mozilla.org/B2G/Architecture/Runtime_Security#OS_Hardening Additional options may be present such as "relatime, barrier=1, data=ordered", etc. but there should be no fewer options. Additional mounts that are not in use should be removed, such as: /mnt/sdcard/.android_secure /sys/kernel/debug /mnt/secure/asec /mnt/asec /mnt/obb Most mounts are performed in /init*rc. /system has to be mounted rw, then remounted ro (already performed by Android scripts). It is acceptable to have all the mounts "fixed up" in /init.rc or /init.b2g.rc as well. I have tested this setup with the current B2G build from source, on my Nexus S. Please let me know if there is any concern with these options or mounts. Thanks!
Comment 1•12 years ago
|
||
Guillaume, Since this is not part of gecko, please file these bugs as github issues. thanks!
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Updated•12 years ago
|
Resolution: WONTFIX → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•