On Tue, Nov 20, 2012 at 4:13 PM, Kay Sievers <k...@vrfy.org> wrote: > On Tue, Nov 20, 2012 at 9:42 PM, Kees Cook <keesc...@chromium.org> wrote: >> Since devtmpfs is writable, make the default noexec,nosuid as well. This >> protects from the case of a privileged process having an arbitrary file >> write flaw and an argumentless arbitrary execution (i.e. it would lack >> the ability to run "mount -o remount,exec,suid /dev"). > > This only really applies to systems without an initramfs when the > kernel mounts /dev over the rootfs it has mounted; with an initramfs, > /dev is always mounted by user code. > > Just checking, that is the use case you are doing that for?
Correct. We're using this in Chrome OS, which does not use an initramfs. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
