Bug 1252859 - [RFE] pam_namespace doesn't support generic mount options in mntopts=
[RFE] pam_namespace doesn't support generic mount options in mntopts=
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam (Show other bugs)
7.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
Jiri Jaburek
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-12 07:47 EDT by Jiri Jaburek
Modified: 2017-09-08 07:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Jaburek 2015-08-12 07:47:48 EDT
Description of problem:

The mntopts= option in /etc/security/namespace.conf supports only tmpfs-specific options like size, but not generic options like noexec/nosuid/etc.

When I try

/dev/shm /dev/shm     tmpfs:mntopts=noexec,nodev,nosuid     root,adm

I get (on login)

[79105.989458] tmpfs: No value for mount option 'noexec'

which comes from linux/mm/shmem.c - if you look inside, specifically at shmem_parse_options(), you'll see that each option needs to have `=' and that the error is a result of this tmpfs-specific parser being used instead of the generic one.

Obviously, specifying mntopts=noexec=1 doesn't work,

[79255.286900] tmpfs: Bad mount option noexec


This bug is probably caused by pam_namespace passing the options directly as "void* data" to mount(2), which goes straight to the fs-specific option parser. Would it be possible to recognize (like mount(1)) some generic mount options (especially noexec/nodev/nosuid) and pass them as MS_* via 'mountflags' to mount(2)?


Version-Release number of selected component (if applicable):
pam-1.1.8-12.el7

How reproducible:
always

Steps to Reproduce:
(see namespace.conf line above - simply define a tmpfs mapping with generic mount options and try logging in)

Actual results:
pam_namespace cannot be used with generic mount options

Expected results:
pam_namespace honors generic mount options (see man 2 mount for MS_*)

Additional info:
Comment 2 Tomas Mraz 2015-08-12 07:59:45 EDT
We can think about it for future. But it should be upstreamed first. Also I am really hesitant duplicating the full mount(1) mount option parser in pam_namespace.

Also I do not think this is RHEL-7.2 material.

Note You need to log in before you can comment on or make changes to this bug.