I think one problem with changing this in systemd is that generators are allowed to be placed in /run [1]. While mounting /run noexec would not affect interpreted generators like bash scripts, it would prevent binary executable generators from being placed in /run.
If we find it necessary, we could carry a delta for this in Ubuntu, but I am not sure this is a change upstream will accept. [1] https://www.freedesktop.org/software/systemd/man/systemd.generator.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1991661 Title: systemd mounts /run without noexec Status in initramfs-tools package in Ubuntu: Invalid Status in systemd package in Ubuntu: Triaged Bug description: initramfs-tools in Bionic+, when mounting the filesystem, mounts /run with noexec Cloud images run without initramfs and rely on systemd for the mounts. systemd, however, mounts /run without noexec. Snip from mount-setup.c (either in src/core/mount-setup.c < 248 or src/shared/mount-setup.c in >= 248 ) ``` #if ENABLE_SMACK { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, mac_smack_use, MNT_FATAL }, #endif { "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, NULL, MNT_FATAL|MNT_IN_CONTAINER }, ``` Originally raised in an askubuntu forum: https://askubuntu.com/questions/1432383/mounting-run-as-noexec/1433208 CPC hasn't received word from any partners yet, but it does constitute a possible regression from how the system was mounted in Bionic and Focal before moving to optimized boots in 2020/2021. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1991661/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
