From 346c96f6a27cb171037a17b28d632b4775a5e08c Mon Sep 17 00:00:00 2001
From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
Date: Thu, 12 Oct 2023 20:00:44 +0800
Subject: [PATCH] mount sysfs and proc with noguid, nodev and noexec mode

Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
(cherry picked from commit 063670f1ab23cba735db83c0935c539c00efde4b)
---
 ...-and-proc-with-nodev-and-noexec-mode.patch | 31 +++++++++++++++++++
 install-scripts.spec                          |  9 +++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 0006-mount-sysfs-and-proc-with-nodev-and-noexec-mode.patch

diff --git a/0006-mount-sysfs-and-proc-with-nodev-and-noexec-mode.patch b/0006-mount-sysfs-and-proc-with-nodev-and-noexec-mode.patch
new file mode 100644
index 0000000..dafece8
--- /dev/null
+++ b/0006-mount-sysfs-and-proc-with-nodev-and-noexec-mode.patch
@@ -0,0 +1,31 @@
+From c272c36c9455f92200d42de951065c1cf8205547 Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Thu, 12 Oct 2023 21:31:42 +0800
+Subject: [PATCH] mount sysfs and proc with nodev and noexec mode
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+---
+ usr/Euler/project/install/setupOS.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/usr/Euler/project/install/setupOS.sh b/usr/Euler/project/install/setupOS.sh
+index 807d01f..af4777f 100644
+--- a/usr/Euler/project/install/setupOS.sh
++++ b/usr/Euler/project/install/setupOS.sh
+@@ -294,10 +294,10 @@ function SetupOS_CpFstab()
+         fi
+ 
+         #modify fstab，add "proc，sysfs，debugfs，usbfs，devpts"
+-        echo "sysfs                /sys                 sysfs      noauto                0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
+-        echo "proc                 /proc                proc       defaults              0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
++        echo "sysfs                /sys                 sysfs      nosuid,nodev,noexec,noauto                0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
++        echo "proc                 /proc                proc       nosuid,nodev,noexec              0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
+         echo "usbfs                /proc/bus/usb        usbfs      noauto                0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
+-        echo "devpts               /dev/pts             devpts     mode=0620,gid=5       0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
++        echo "devpts               /dev/pts             devpts     nosuid,noexec,mode=0620,gid=5       0 0" >> ${LOCAL_DISK_PATH}${SI_FSTAB}
+ 
+         g_LOG_Info "copy $FSTAB_FILE success."
+ 
+-- 
+2.27.0
+
diff --git a/install-scripts.spec b/install-scripts.spec
index fdd9b0f..b3db7ad 100644
--- a/install-scripts.spec
+++ b/install-scripts.spec
@@ -3,7 +3,7 @@ Summary:        scripts for system installation
 Group:          Applications/System
 License:        MulanPSL-2.0
 Version:        1.2
-Release:        9
+Release:        10
 SOURCE0:        %{name}-%{version}.tar.gz
 
 Patch0001: 0001-add-support-for-nvme-disk.patch
@@ -11,6 +11,7 @@ Patch0002: 0002-support-mbsc.patch
 Patch0003: 0003-remove-the-executable-permission-of-non-root-users-f.patch
 Patch0004: 0004-fix-missing-quotation-in-filetransfer.sh.patch
 Patch0005: 0005-support-use-20-escape-characters-in-url.patch
+Patch0006: 0006-mount-sysfs-and-proc-with-nodev-and-noexec-mode.patch
 
 Requires:       kernel
 BuildRequires:  dos2unix coreutils findutils
@@ -103,6 +104,12 @@ rm -rf $RPM_BUILD_DIR/%{name}-%{version}
 %attr(0640,root,root) /etc/sysctl.d/01-euler-printk.conf
 
 %changelog
+* Thu Oct 12 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1.2-10
+- Type:requirement
+- CVE:NA
+- SUG:NA
+- DESC:mount sysfs and proc with nodev and noexec mode
+
 * Tue Aug 15 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1.2-9
 - Type:requirement
 - CVE:NA
-- 
Gitee