• Eric W. Biederman's avatar
    vfs: Commit to never having exectuables on proc and sysfs. · 90f8572b
    Eric W. Biederman authored
    Today proc and sysfs do not contain any executable files.  Several
    applications today mount proc or sysfs without noexec and nosuid and
    then depend on there being no exectuables files on proc or sysfs.
    Having any executable files show on proc or sysfs would cause
    a user space visible regression, and most likely security problems.
    
    Therefore commit to never allowing executables on proc and sysfs by
    adding a new flag to mark them as filesystems without executables and
    enforce that flag.
    
    Test the flag where MNT_NOEXEC is tested today, so that the only user
    visible effect will be that exectuables will be treated as if the
    execute bit is cleared.
    
    The filesystems proc and sysfs do not currently incoporate any
    executable files so this does not result in any user visible effects.
    
    This makes it unnecessary to vet changes to proc and sysfs tightly for
    adding exectuable files or changes to chattr that would modify
    existing files, as no matter what the ind...
    90f8572b
root.c 5.74 KB