mount /proc at boot as read-only

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Sun Jan 6 17:45:33 EST 2019


On Sun, 06 Jan 2019 21:13:26 +0300, Lev Olshvang said:

> I am trying to harden the embedded system.
> I have embedded system with systemd .....

OK, you've already got a problem right there.

It's an embedded system.  Therefor, you know everything that should be running,
and what order it should start in.  If you don't already know that, you have bigger
design issues.

So you probably want to reduce system complexity and save both RAM and flash
memory space by heaving systemd over the side and using something simpler
(sysvinit, or upstart, or even use '/bin/make' if you want to guarantee that
certain tasks don't start till others have actually launched successfully, or
use a custom-written system launcher).

That's going to do more to reduce the attack surface than any amount of monkeying
around with the permissions in /proc will do.



More information about the Kernelnewbies mailing list