On Sun Jun 10 2007 at 12:27:30 -0500, Peter Seebach wrote:
> >Which clearly doesn't include noexec.  Or does that get enforced somewhere
> >else?
> 
> It's now in /usr/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:
> 
>                 case KAUTH_REQ_SYSTEM_MOUNT_NEW:
>                         if (isroot)
>                                 result = KAUTH_RESULT_ALLOW;
>                         else if (dovfsusermount) {
>                                 struct vnode *vp = arg1;
>                                 u_long flags = (u_long)arg2;
> 
>                                 if (!(flags & MNT_NODEV) ||
>                                     !(flags & MNT_NOSUID))
>                                         break;
> 
>                                 if ((vp->v_mount->mnt_flag & MNT_NOEXEC) &&
>                                     !(flags & MNT_NOEXEC))
>                                         break;
> 
>                                 result = KAUTH_RESULT_ALLOW;
>                         }
> 
> This means that, instead of getting the flag silently added, you get EPERM
> without explanation.

That snipped looks like it requires MNT_NOEXEC only if you are mounting on
a file system which already has MNT_NOEXEC set in vp->v_mount->mnt_flags.
noexec is not generally required for user mounts.  My guess is it's to
prevent the user gaining access to an exec-worthy file system in case
e.g. /home is noexec.

-- 
Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
http://www.iki.fi/pooka/                          http://www.NetBSD.org/
    "la qualité la plus indispensable du cuisinier est l'exactitude"