sys-apps/util-linux/files/CHROMIUM-mount-no-canonicalize.patch - third_party/overlays/chromiumos-overlay - Git at Google

 # Force-enable -c/--no-canonicalize for mount(8).
 # This will prevent mount(8) from following symlinks, which can be used
 # essentially as a write-anywhere-as-root primitive.
 # See b/194944898 for details.

 --- a/sys-utils/mount.c	2021-02-12 06:32:01.835988410 -0500
 +++ b/sys-utils/mount.c	2022-03-18 18:53:36.704541168 -0400
 @@ -862,6 +862,10 @@
  		mnt_context_set_optsmode(cxt, optmode);
  	}

 +	/* Always disable canonicalization to avoid following malicious
 +	   symlinks. */
 +	mnt_context_disable_canonicalize(cxt, TRUE);
 +
  	if (fstab && !mnt_context_is_nocanonicalize(cxt)) {
  		/*
  		 * We have external (context independent) fstab instance, let's
	# Force-enable -c/--no-canonicalize for mount(8).
	# This will prevent mount(8) from following symlinks, which can be used
	# essentially as a write-anywhere-as-root primitive.
	# See b/194944898 for details.

	--- a/sys-utils/mount.c 2021-02-12 06:32:01.835988410 -0500
	+++ b/sys-utils/mount.c 2022-03-18 18:53:36.704541168 -0400
	@@ -862,6 +862,10 @@
	mnt_context_set_optsmode(cxt, optmode);
	}

	+ /* Always disable canonicalization to avoid following malicious
	+ symlinks. */
	+ mnt_context_disable_canonicalize(cxt, TRUE);
	+
	if (fstab && !mnt_context_is_nocanonicalize(cxt)) {
	/*
	* We have external (context independent) fstab instance, let's