https://bugs.gentoo.org/958339
https://www.openwall.com/lists/oss-security/2025/06/17/5
https://www.openwall.com/lists/oss-security/2025/06/17/5/2

From 0007d5616f4dbc9ccd65b9094ffc18c6f776d06a Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Wed, 4 Jun 2025 15:26:46 +0200
Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
 'nodev,nosuid'

The private mount done in take_filesystem_ownership() should always
default to 'nodev,nosuid' for security and 'errors=remount-ro' for
selected filesystem to handle corrupted filesystem. This is consistent
with mount options calculation for regular mounts.
--- a/src/udiskslinuxfilesystemhelpers.c
+++ b/src/udiskslinuxfilesystemhelpers.c
@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar  *device,
 
 {
   gchar *mountpoint = NULL;
+  const gchar *mount_opts;
   GError *local_error = NULL;
   gboolean unmount = FALSE;
   gboolean success = TRUE;
@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar  *device,
               goto out;
             }
 
+          mount_opts = "nodev,nosuid";
+          if (g_strcmp0 (fstype, "ext2") == 0 ||
+              g_strcmp0 (fstype, "ext3") == 0 ||
+              g_strcmp0 (fstype, "ext4") == 0 ||
+              g_strcmp0 (fstype, "jfs") == 0)
+            mount_opts = "nodev,nosuid,errors=remount-ro";
+
           /* TODO: mount to a private mount namespace */
-          if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error))
+          if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error))
             {
               g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
                            "Cannot mount %s at %s: %s",
-- 
2.49.0