[pve-devel] [PATCH kernel-meta 2/3] zz-pve-efiboot: re-exec in mount namespace
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Jul 11 11:22:50 CEST 2019
to avoid affecting the running system negatively, e.g. because the
target paths for mounting the ESPs have been modified via symlinks or
similar attacks.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
efiboot/zz-pve-efiboot | 2 ++
1 file changed, 2 insertions(+)
diff --git a/efiboot/zz-pve-efiboot b/efiboot/zz-pve-efiboot
index 954dbec..32dfe99 100755
--- a/efiboot/zz-pve-efiboot
+++ b/efiboot/zz-pve-efiboot
@@ -151,10 +151,12 @@ case $0:$mode in
# Also run if we have no DEB_MAINT_PARAMS, in order to work with old
# kernel packages.
*/postinst.d/*:|*/postinst.d/*:configure)
+ reexec_in_mountns "$@"
BOOT_KVERS="$(boot_kernel_list "$@")"
update_esps
;;
*/postrm.d/*:|*/postrm.d/*:remove)
+ reexec_in_mountns "$@"
# no newly installed kernel
BOOT_KVERS="$(boot_kernel_list)"
update_esps
--
2.20.1
More information about the pve-devel
mailing list