Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property

From: Kees Cook
Date: Thu May 14 2020 - 11:49:02 EST

Next message: Paul E. McKenney: "Re: [PATCH 07/10] rcu: Temporarily assume that nohz full CPUs might not be NOCB"
Previous message: Paul E. McKenney: "Re: [PATCH 04/10] rcu: Implement rcu_segcblist_is_offloaded() config dependent"
In reply to: Lev R. Oshvang .: "Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 14, 2020 at 11:14:04AM +0300, Lev R. Oshvang . wrote:
> New sysctl is indeed required to allow userspace that places scripts
> or libs under noexec mounts.

But since this is a not-uncommon environment, we must have the sysctl
otherwise this change would break those systems.

> fs.mnt_noexec_strict =0 (allow, e) , 1 (deny any file with --x
> permission), 2 (deny when O_MAYEXEC absent), for any file with ---x
> permissions)

I don't think we want another mount option -- this is already fully
expressed with noexec and the system-wide sysctl.

--
Kees Cook

Next message: Paul E. McKenney: "Re: [PATCH 07/10] rcu: Temporarily assume that nohz full CPUs might not be NOCB"
Previous message: Paul E. McKenney: "Re: [PATCH 04/10] rcu: Implement rcu_segcblist_is_offloaded() config dependent"
In reply to: Lev R. Oshvang .: "Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]