Merge pull request #208 from hnez/srv-ro

meta-lxatac-software: distro: tacos: make /srv on the rootfs read-only
linux-automation · Nov 18, 2024 · be482c6 · be482c6
2 parents d829b98 + d9b2755
commit be482c6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/meta-lxatac-software/conf/distro/tacos.conf b/meta-lxatac-software/conf/distro/tacos.conf
@@ -40,6 +40,10 @@ USERADD_ERROR_DYNAMIC = "error"
 USERADD_UID_TABLES = "files/passwd"
 USERADD_GID_TABLES = "files/group"
 
+# Reduce read/write/directory permissions for /srv to indicate that it should
+# only be used as a mount point and that no files should be written there.
+FILESYSTEM_PERMS_TABLES += "files/fs-perms-srv-ro.txt"
+
 # Don't symlink /var/log to /var/log/volatile as we do actually want
 # persistent logging.
 VOLATILE_LOG_DIR = "no"

diff --git a/meta-lxatac-software/files/fs-perms-srv-ro.txt b/meta-lxatac-software/files/fs-perms-srv-ro.txt
@@ -0,0 +1,6 @@
+# This matches the original fs-perms.txt.
+# The only difference is that permissions were restricted (0755 -> 0500)
+# since the directory should only be used as a mount point.
+# This will however not stop processes running as root from writing to the
+# directory due to CAP_DAC_OVERRIDE.
+/srv				0500	root	root	false - - -