While the kernel can create files that ignore the mount options, I
believe that the behaviour is consistent with the rest of the vfs - that
is, a /proc mounted noexec will not allow files to be executed, even if
the kernel has created them with the execute bit. Having a noexec/nosuid
/proc was an acceptable workaround for one of the more recent Linux
kernel vulnerabilities, so there's a chance that it'll help avoid
future attacks.
The /dev case is more subtle. Vbetool mmaps /dev/zero, so is probably
what's getting upset there.
--
Matthew Garrett | <email address hidden>
While the kernel can create files that ignore the mount options, I
believe that the behaviour is consistent with the rest of the vfs - that
is, a /proc mounted noexec will not allow files to be executed, even if
the kernel has created them with the execute bit. Having a noexec/nosuid
/proc was an acceptable workaround for one of the more recent Linux
kernel vulnerabilities, so there's a chance that it'll help avoid
future attacks.
The /dev case is more subtle. Vbetool mmaps /dev/zero, so is probably
what's getting upset there.
--
Matthew Garrett | <email address hidden>