Hi,

> 1- user mounts are always 'noexec' (they're already 'nodev,nosuid'), possibly
>    depending on the kernel security level

IMHO, this is far too restrictive.

> 2- user mounts inherit the noexec flag from the target directory's partition.
>    The mount has to be done on a directory owned by this user, which means
>    he can write to this partition. If he can execute a file copied to this
>    partition as well, they're no security compromise by allowing it to
>    execute a binary on the partition he mounted (unless I missed something).

... as he would be able to copy the directory tree to be mounted over to
the destination directory and be in (nearly) the same situation.

In theory, the program could do some hackery to determine its inode/location
on the partition and act upon it, which would be defeated by the copying
process, but I'm not sure whether we should support such gobbledygook.

Another option (more obvious to me at least) would be to inherit the noexec
attribute from the source.  One disadvantage I can see with this is that
the code for it would have to be in all the various loopback mounts (nullfs,
unionfs, ...) and cannot be placed in the filesystem independent code
before calling the fs-specific mount.

Ciao,
Wolfgang
-- 
ws@TooLs.DE     (Wolfgang Solfrank, TooLs GmbH) 	+49-228-985800