From 98cb263b83e6f4eb2b338db7052a289bb7367de2 Mon Sep 17 00:00:00 2001 From: 0xdeadd Date: Thu, 30 Apr 2026 17:16:11 -0400 Subject: [PATCH 1/3] fix: restrict EFI partition permissions with fmask/dmask=0077 Mount the ESP with fmask=0077 and dmask=0077 to prevent world-readable files like /efi/loader/random-seed. Closes #4241 --- archinstall/lib/installer.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py index 44a10eb2d4..676bc0fd48 100644 --- a/archinstall/lib/installer.py +++ b/archinstall/lib/installer.py @@ -375,7 +375,14 @@ def _mount_partition(self, part_mod: PartitionModification) -> None: # it would be none if it's btrfs as the subvolumes will have the mountpoints defined if part_mod.mountpoint: target = self.target / part_mod.relative_mountpoint - mount(part_mod.dev_path, target, options=part_mod.mount_options) + options = list(part_mod.mount_options) + + if part_mod.is_efi(): + for opt in ('fmask=0077', 'dmask=0077'): + if opt not in options: + options.append(opt) + + mount(part_mod.dev_path, target, options=options) elif part_mod.fs_type == FilesystemType.BTRFS: # Only mount BTRFS subvolumes that have mountpoints specified subvols_with_mountpoints = [sv for sv in part_mod.btrfs_subvols if sv.mountpoint is not None] From 6ed42e3ca13199a423b61278f5e85921bfbf76d2 Mon Sep 17 00:00:00 2001 From: 0xdeadd Date: Wed, 13 May 2026 11:36:42 -0400 Subject: [PATCH 2/3] fix(efi): collapse fmask/dmask dedup to dict.fromkeys one-liner Per @Torxed's review feedback. Same semantics as the previous loop (dedupe by exact-string match) but shorter. dict.fromkeys preserves insertion order, where set() would not. --- archinstall/lib/installer.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py index 676bc0fd48..a05acd9f31 100644 --- a/archinstall/lib/installer.py +++ b/archinstall/lib/installer.py @@ -378,9 +378,7 @@ def _mount_partition(self, part_mod: PartitionModification) -> None: options = list(part_mod.mount_options) if part_mod.is_efi(): - for opt in ('fmask=0077', 'dmask=0077'): - if opt not in options: - options.append(opt) + options = list(dict.fromkeys(options + ['fmask=0077', 'dmask=0077'])) mount(part_mod.dev_path, target, options=options) elif part_mod.fs_type == FilesystemType.BTRFS: From 3051cac7dbbdde642cb49a1bf7e98e0834164421 Mon Sep 17 00:00:00 2001 From: 0xdeadd Date: Sat, 16 May 2026 08:36:01 -0400 Subject: [PATCH 3/3] fix(efi): drop defensive list wrap per review The list() copy on line 378 was load-bearing only if options were mutated downstream, but the EFI branch reassigns options via dict.fromkeys() (line 381) and the non-EFI branch passes through to mount() without mutating. Drop the copy. --- archinstall/lib/installer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py index a05acd9f31..61c51b9204 100644 --- a/archinstall/lib/installer.py +++ b/archinstall/lib/installer.py @@ -375,7 +375,7 @@ def _mount_partition(self, part_mod: PartitionModification) -> None: # it would be none if it's btrfs as the subvolumes will have the mountpoints defined if part_mod.mountpoint: target = self.target / part_mod.relative_mountpoint - options = list(part_mod.mount_options) + options = part_mod.mount_options if part_mod.is_efi(): options = list(dict.fromkeys(options + ['fmask=0077', 'dmask=0077']))