#!/bin/sh
source /lib/functions.sh

do_mount_debugfs_security() {
# mount /sys/kernel/debug with nosuid,nodev,noexec to reduce attack surface 
# all except noatime come by default
    if [ -d "/sys/kernel/debug" ]; then
        echo "Mounting /sys/kernel/debug with security options"
        mount -o nosuid,nodev,noexec,noatime -t debugfs debugfs /sys/kernel/debug
    else
        echo "No need to mount /sys/kernel/debug since it doesn't exist"
    fi
}

boot_hook_add preinit_main do_mount_debugfs_security
