While the kernel can create files that ignore the mount options, I believe that the behaviour is consistent with the rest of the vfs - that is, a /proc mounted noexec will not allow files to be executed, even if the kernel has created them with the execute bit. Having a noexec/nosuid /proc was an acceptable workaround for one of the more recent Linux kernel vulnerabilities, so there's a chance that it'll help avoid future attacks.
The /dev case is more subtle. Vbetool mmaps /dev/zero, so is probably what's getting upset there. -- Matthew Garrett | [EMAIL PROTECTED] -- Virtual filesystem mounts could use more restrictive mount options https://launchpad.net/bugs/54530 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
