[PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property
Kees Cook
keescook at chromium.org
Thu May 14 15:48:57 UTC 2020
On Thu, May 14, 2020 at 11:14:04AM +0300, Lev R. Oshvang . wrote:
> New sysctl is indeed required to allow userspace that places scripts
> or libs under noexec mounts.
But since this is a not-uncommon environment, we must have the sysctl
otherwise this change would break those systems.
> fs.mnt_noexec_strict =0 (allow, e) , 1 (deny any file with --x
> permission), 2 (deny when O_MAYEXEC absent), for any file with ---x
> permissions)
I don't think we want another mount option -- this is already fully
expressed with noexec and the system-wide sysctl.
--
Kees Cook
More information about the Linux-security-module-archive
mailing list