On 01/25/2014 12:15 PM, Chris Murphy wrote:
OK, so is the fact it's persistently available the problem?
Because
if I were to have a persistent backup of sysroot mounted, I've got
the same attack vector available. By default for even an unprivileged
user gnome-shell mounts with By default, gnome-shell mounts volumes
with rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2.
Right, it's having a persistent and usable copy of a vulnerability.
So another possibility is to have a "snapshots" subvolume
persistently mounted, with noexec, and always place snapshots in that
subvolume.
That sounds good -- even might be just nosuid on that.
Josh