current-users: Re: usermount semantics changed... Why?

Subject: Re: usermount semantics changed... Why?
To: Eric Haszlakiewicz <erh@nimenees.com>
From: Peter Seebach <seebs@seebs.net>
List: current-users
Date: 06/10/2007 12:27:30

In message <20070610172222.GA19212@nimenees.com>, Eric Haszlakiewicz writes:
> You're talking about the "mount(2) on kauth(9)" conversation, around
>the beginning of January, right?

Yes.

>Looking at what changed there, I see that the previous code did this:

>-	 * For non-root users, silently enforce MNT_NOSUID and MNT_NODEV.
>-	 */
>-	if (kauth_cred_geteuid(l->l_cred) != 0) {
>-		flags |= MNT_NOSUID | MNT_NODEV;
>-	}

>Which clearly doesn't include noexec.  Or does that get enforced somewhere
>else?

It's now in /usr/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:

                case KAUTH_REQ_SYSTEM_MOUNT_NEW:
                        if (isroot)
                                result = KAUTH_RESULT_ALLOW;
                        else if (dovfsusermount) {
                                struct vnode *vp = arg1;
                                u_long flags = (u_long)arg2;

                                if (!(flags & MNT_NODEV) ||
                                    !(flags & MNT_NOSUID))
                                        break;

                                if ((vp->v_mount->mnt_flag & MNT_NOEXEC) &&
                                    !(flags & MNT_NOEXEC))
                                        break;

                                result = KAUTH_RESULT_ALLOW;
                        }

This means that, instead of getting the flag silently added, you get EPERM
without explanation.

-s