Red Hat Bugzilla – Bug 1252859
[RFE] pam_namespace doesn't support generic mount options in mntopts=
Last modified: 2017-09-08 07:56:20 EDT
Description of problem:
The mntopts= option in /etc/security/namespace.conf supports only tmpfs-specific options like size, but not generic options like noexec/nosuid/etc.
When I try
/dev/shm /dev/shm tmpfs:mntopts=noexec,nodev,nosuid root,adm
I get (on login)
[79105.989458] tmpfs: No value for mount option 'noexec'
which comes from linux/mm/shmem.c - if you look inside, specifically at shmem_parse_options(), you'll see that each option needs to have `=' and that the error is a result of this tmpfs-specific parser being used instead of the generic one.
Obviously, specifying mntopts=noexec=1 doesn't work,
[79255.286900] tmpfs: Bad mount option noexec
This bug is probably caused by pam_namespace passing the options directly as "void* data" to mount(2), which goes straight to the fs-specific option parser. Would it be possible to recognize (like mount(1)) some generic mount options (especially noexec/nodev/nosuid) and pass them as MS_* via 'mountflags' to mount(2)?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
(see namespace.conf line above - simply define a tmpfs mapping with generic mount options and try logging in)
pam_namespace cannot be used with generic mount options
pam_namespace honors generic mount options (see man 2 mount for MS_*)
We can think about it for future. But it should be upstreamed first. Also I am really hesitant duplicating the full mount(1) mount option parser in pam_namespace.
Also I do not think this is RHEL-7.2 material.