> This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
> flags when mounting devtmpfs.
So does a mount syscall
> In-kernel separation of executable and non-executable code combined
> with a proper executability policy is a basic technique to prote
On 2012-11-20 Tuesday at 13:50 -0800 Kees Cook wrote:
> Since devtmpfs is writable, make the default noexec,nosuid as well. This
> protects from the case of a privileged process having an arbitrary file
> write flaw and an argumentless arbitrary execution (i.e. it would lack
> the ability to run "m
> I'm not trying to say it's a magic cure-all. This feature is just for
> trying to build a system that follows security best-practices: nothing
If you want to talk about security practices then please do so rather
than using it as a magic label for cluelessness.
> I don't need a specific example
On Tue, Nov 20, 2012 at 4:05 PM, Alan Cox wrote:
>> +config DEVTMPFS_SAFE
>> + bool "Use nosuid,noexec mount options on devtmpfs"
>> + depends on DEVTMPFS
>> + help
>> + This instructs the kernel to include the MS_NOEXEC and
>> + MS_NOSUID mount flags when mounting devtmpfs
> +config DEVTMPFS_SAFE
> + bool "Use nosuid,noexec mount options on devtmpfs"
> + depends on DEVTMPFS
> + help
> + This instructs the kernel to include the MS_NOEXEC and
> + MS_NOSUID mount flags when mounting devtmpfs. This prevents
> + certain kinds of code-executio
Since devtmpfs is writable, make the default noexec,nosuid as well. This
protects from the case of a privileged process having an arbitrary file
write flaw and an argumentless arbitrary execution (i.e. it would lack
the ability to run "mount -o remount,exec,suid /dev").
Rather than relying on user
6 matches
Mail list logo
