meta-lxatac-software: distro: tacos: remove all permissions on rootfs…

… /srv We do not want any service to write to /srv (in the root filesystem) before the /srv partition is set up and mounted. Indicate this intent by removing all permissions from the directory. This will not stop processes running as root from writing there anyways due to CAP_DAC_OVERRIDE. Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
hnez · Nov 14, 2024 · b8d5f2e · b8d5f2e
1 parent a0e8816
commit b8d5f2e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/meta-lxatac-software/conf/distro/tacos.conf b/meta-lxatac-software/conf/distro/tacos.conf
@@ -40,6 +40,11 @@ USERADD_ERROR_DYNAMIC = "error"
 USERADD_UID_TABLES = "files/passwd"
 USERADD_GID_TABLES = "files/group"
 
+# Remove all read/write/directory permissions from /srv to indicate that it
+# should only be used as a mount point and that no files should be written
+# there.
+FILESYSTEM_PERMS_TABLES += "files/fs-perms-srv-ro.txt"
+
 # Don't symlink /var/log to /var/log/volatile as we do actually want
 # persistent logging.
 VOLATILE_LOG_DIR = "no"

diff --git a/meta-lxatac-software/files/fs-perms-srv-ro.txt b/meta-lxatac-software/files/fs-perms-srv-ro.txt
@@ -0,0 +1,6 @@
+# This matches the original fs-perms.txt.
+# The only difference is that all read/write/directory were removed
+# (0755 -> 0000) since the directory should only be used as a mount point.
+# This will not stop processes running as root from writing to the directory
+# due to CAP_DAC_OVERRIDE.
+/srv				0000	root	root	false - - -