Subject: Re: mount(2) on kauth(9)
To: None <tech-kern@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
Date: 12/28/2006 21:25:11
okay, I've given this a second thought.
the conditions according to which the 'flags' are modified are secmodel
internal. so we can't really do anything else than what we do now, at
least not without it being very ugly.
so what I suggest is that we just document that 'flags' is passed
exactly for this purpose -- so the secmodel can adjust it. I don't see
any case where this would matter, in practice.
Elad Efrat wrote:
> YAMAMOTO Takashi wrote:
>>> YAMAMOTO Takashi wrote:
>>>>> + /* Enforce 'nodev', 'nosuid', for non-root */
>>>>> + *flags |= MNT_NODEV | MNT_NOSUID;
>>>> this kind of structure makes the order of listeners important.
>>>> i'm not sure if it's a good idea.
>>>> YAMAMOTO Takashi
>>> I know. I've discussed it with blymn@ a bit, and the alternatives didn't
>>> seem like they'd pass.
>> what are alternatives?
> I was thinking just plain denying the request if it didn't already have
> nodev/nosuid; that'd mean that any time a non-root user is mounting he'd
> have to pass these options though.
> noexec retaining is a different issue that I'm not sure how to handle.
> 2nd alternative is what you suggest.
>>> do you have any idea how this can be done otherwise?
>> having additional kauth calls for these bits?
> "can set suid/nodev"? also see above wrt/noexec on update.