Stuart Henderson writes: > I think you'd need to disable mount completely, otherwise you can mount > a new writable filesystem (e.g. MFS) that doesn't have noexec.
Yeah, I completely missed that vector. And really, that makes more sense. How often do you live mount filesystems on a firewall? Anyway, I'm going to go ahead and code this up so I can try it on a running production firewall. I'll add in a sysctl to control if secureleve=2 mounts are allowed at all. --lyndon
