Comment 19 for bug 54530
Revision history for this message
| Matthew Garrett (mjg59) wrote Re: [Bug 54530] Re: [Bug 54530] Re: Virtual filesystem mounts could use more restrictive mount options | #19 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
While the kernel can create files that ignore the mount options, I
believe that the behaviour is consistent with the rest of the vfs - that
is, a /proc mounted noexec will not allow files to be executed, even if
the kernel has created them with the execute bit. Having a noexec/nosuid
/proc was an acceptable workaround for one of the more recent Linux
kernel vulnerabilities, so there's a chance that it'll help avoid
future attacks.
The /dev case is more subtle. Vbetool mmaps /dev/zero, so is probably
what's getting upset there.
--
Matthew Garrett | <email address hidden>