On Thu, May 14, 2020 at 11:14:04AM +0300, Lev R. Oshvang . wrote: > New sysctl is indeed required to allow userspace that places scripts > or libs under noexec mounts. But since this is a not-uncommon environment, we must have the sysctl otherwise this change would break those systems. > fs.mnt_noexec_strict =0 (allow, e) , 1 (deny any file with --x > permission), 2 (deny when O_MAYEXEC absent), for any file with ---x > permissions) I don't think we want another mount option -- this is already fully expressed with noexec and the system-wide sysctl. -- Kees Cook
