On 01/25/2014 12:15 PM, Chris Murphy wrote: > OK, so is the fact it's persistently available the problem? Because > if I were to have a persistent backup of sysroot mounted, I've got > the same attack vector available. By default for even an unprivileged > user gnome-shell mounts with By default, gnome-shell mounts volumes > with rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2. Right, it's having a persistent and usable copy of a vulnerability. > So another possibility is to have a "snapshots" subvolume > persistently mounted, with noexec, and always place snapshots in that > subvolume. That sounds good -- even might be just nosuid on that. Josh -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
