From b6bcc208dda00ae4b310bd2fd513fe250f8b2c10 Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 09:35:40 +0800
Subject: [PATCH 4/5] embedded: add noexec mount option to strenthen tmp
 partition

Signed-off-by: Xin Shi <shixin21@huawei.com>
---
 embedded/tmp.mount | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 embedded/tmp.mount

diff --git a/embedded/tmp.mount b/embedded/tmp.mount
new file mode 100644
index 0000000..c2df09d
--- /dev/null
+++ b/embedded/tmp.mount
@@ -0,0 +1,29 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Temporary Directory /tmp
+Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
+Documentation=man:file-hierarchy(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec
+
+# Make 'systemctl enable tmp.mount' work:
+[Install]
+WantedBy=local-fs.target
-- 
2.27.0