Skip to content

bootupd: Fix /sys read-only mount issue #1974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cgwalters merged 1 commit into from
Feb 9, 2026
Merged

bootupd: Fix /sys read-only mount issue #1974

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion crates/utils/src/bwrap.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ impl<'a> BwrapCmd<'a> {
// See https://systemd.io/API_FILE_SYSTEMS/
cmd.args(["--proc", "/proc"]);
cmd.args(["--dev", "/dev"]);
cmd.args(["--ro-bind", "/sys", "/sys"]);
cmd.args(["--bind", "/sys", "/sys"]);
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While this change fixes the issue with efibootmgr, it makes /sys writable for all commands executed via BwrapCmd. This could be a security concern as it weakens the sandbox for commands that don't require write access to /sys, violating the principle of least privilege.

A more robust approach would be to make this configurable. For example, you could add a field to BwrapCmd to control this behavior, and default to read-only. Callers that need a writable /sys would then explicitly opt-in.

Here's an example of how you could implement this:

// In BwrapCmd struct:
sys_rw: bool,

// In BwrapCmd::new():
// ...
sys_rw: false,

// Add a new builder method:
pub fn sys_rw(mut self, rw: bool) -> Self {
    self.sys_rw = rw;
    self
}

// In BwrapCmd::run():
if self.sys_rw {
    cmd.args(["--bind", "/sys", "/sys"]);
} else {
    cmd.args(["--ro-bind", "/sys", "/sys"]);
}

Could you please consider refactoring to this approach for better security?

Copy link
Collaborator

@cgwalters cgwalters Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, could be a followup

Copy link
Collaborator Author

@henrywang henrywang Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or I can mount /sys read-only but add a read-write bind mount for /sys/firmware/efi/efivars. This should be more secure, I think.

Copy link
Collaborator

@cgwalters cgwalters Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah in this specific case I think that's the right thing to do.


// Add bind mounts
for (source, target) in &self.bind_mounts {
Expand Down