Subject: Re: mount(2) on kauth(9)
To: YAMAMOTO Takashi <>
From: Elad Efrat <>
List: tech-kern
Date: 12/28/2006 18:48:56
YAMAMOTO Takashi wrote:
>> YAMAMOTO Takashi wrote:
>>>> +				/* Enforce 'nodev', 'nosuid', for non-root */
>>>> +				*flags |= MNT_NODEV | MNT_NOSUID;
>>> this kind of structure makes the order of listeners important.
>>> i'm not sure if it's a good idea.
>>> YAMAMOTO Takashi
>> I know. I've discussed it with blymn@ a bit, and the alternatives didn't
>> seem like they'd pass.
> what are alternatives?

I was thinking just plain denying the request if it didn't already have
nodev/nosuid; that'd mean that any time a non-root user is mounting he'd
have to pass these options though.

noexec retaining is a different issue that I'm not sure how to handle.

2nd alternative is what you suggest.

>> do you have any idea how this can be done otherwise?
>> -e.
> having additional kauth calls for these bits?

"can set suid/nodev"? also see above wrt/noexec on update.