From eb98d2ea110baed9651e33b83ce0da2dfa210080 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 13 Apr 2019 13:25:25 +0300
Subject: [PATCH] init: /dev can be noexec and /run nodev

/dev used to be mounted with "exec" flag due to /dev/MAKEDEV script
but that's history and it's now located in /sbin. mmap() with file
descriptor to "/dev/zero" (instead of modern mmap(,,,MAP_ANON...))
will still work.

There's no reason to have (char/block) device nodes in /run, so let's
mount it with "nodev". This does not affect sockets, fifos etc.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 init | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/init b/init
index 3dc9f6b..1cc96c3 100755
--- a/init
+++ b/init
@@ -33,7 +33,7 @@ export quiet
 
 # Note that this only becomes /dev on the real filesystem if udev's scripts
 # are used; which they will be, but it's worth pointing out
-mount -t devtmpfs -o nosuid,mode=0755 udev /dev
+mount -t devtmpfs -o noexec,nosuid,mode=0755 udev /dev
 mkdir /dev/pts
 mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true
 
@@ -207,7 +207,7 @@ else
 	resume=${RESUME:-}
 fi
 
-mount -t tmpfs -o "noexec,nosuid,size=${RUNSIZE:-10%},mode=0755" tmpfs /run
+mount -t tmpfs -o "nodev,noexec,nosuid,size=${RUNSIZE:-10%},mode=0755" tmpfs /run
 mkdir -m 0755 /run/initramfs
 
 if [ -n "$log_output" ]; then