bootloader: Mount the ESP with restricted fmask+dmask#1691
bootloader: Mount the ESP with restricted fmask+dmask#1691cgwalters merged 1 commit intobootc-dev:mainfrom
Conversation
This avoids warnings from `bootctl install` for good reasons. Visible from `bootc install` using systemd-boot. Signed-off-by: Colin Walters <walters@verbum.org>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a significant improvement by mounting the EFI System Partition (ESP) with more restrictive permissions (fmask=0177, dmask=0077) and security flags (noexec, nosuid). This change effectively hardens the system by limiting access to the ESP, which helps prevent unauthorized modifications and resolves warnings from bootctl. The implementation is well-executed through refactoring. A new mount_esp helper function neatly encapsulates the ESP mounting logic, which is then used consistently across the codebase, improving maintainability. Furthermore, the underlying TempMount::mount_dev function has been enhanced to be more generic and now uses a direct rustix syscall for mounting instead of shelling out to the mount command, which is a great improvement for robustness and performance. Overall, the changes are clean, well-motivated, and represent a solid step forward for the project's security and code quality.
2 participants
This avoids warnings from
bootctl installfor good reasons. Visible frombootc installusing systemd-boot.