On Thu, May 14, 2020 at 6:48 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Thu, May 14, 2020 at 11:14:04AM +0300, Lev R. Oshvang . wrote: > > New sysctl is indeed required to allow userspace that places scripts > > or libs under noexec mounts. > > But since this is a not-uncommon environment, we must have the sysctl > otherwise this change would break those systems. > But I proposed sysctl on a line below. > > fs.mnt_noexec_strict =1 (allow, e) , 1 (deny any file with --x > > permission), 2 (deny when O_MAYEXEC absent), for any file with ---x > > permissions) > > I don't think we want another mount option -- this is already fully > expressed with noexec and the system-wide sysctl. > > -- The intended use of proposed sysctl is to ebable sysadmin to decide whar is desired semantics mount with NO_EXEC option. fs.mnt_noexec_scope =0 |1|2|3 0 - means old behaviour i.e do nor run executables and scripts (default) 1 - deny any file with --x permissions, i.e executables , script and libs 2 - deny any file when O_MAYEXEC is present. I think this is enough to handle all use cases and to not break current sysadmin file mounts setting I oppose the new O_MAY_EXECMOUNT flag, kernel already has MNT_NO_EXEC, SB_NOEXEC and SB_I_NOEXEC and I frankly do not understand why so many variants exist. Lev
