noexec on /dev/shm
Bill Nottingham
notting at redhat.com
Tue Dec 14 17:08:42 UTC 2010
Marcela Mašláňová (mmaslano at redhat.com) said:
> >>> That's not a very constructive wording. Filing a bug showing your use-case
> >>> would be helpful.
I'd like to restate this point. It's rather disappointing that so many
people have decided to skip over this, and prefer to instead complain,
insinuate, and argue on list rather than starting with this simple,
more likely to be productive, action.
> The problem is not the technical solution. Problem is that changes of
> such important thing like /etc/fstab are decided without Fedora developers.
Eh, what? It's a change to how API filesystems (/proc, /sys, etc.) get
mounted. When this was done in rc.sysinit, every change to how it mounted
/proc wasn't discussed on the devel list. When we switched to having dracut
be the primary way that API filesystems are mounted, that wasn't put up
to a FESCo vote.
And it's also not fair to say that 'Fedora developers' aren't involved;
heck, there's at least 10 of them on the systemd mailing list, by a quick
count. If you mean, "it wasn't posted to devel@, or it wasn't brought to
FESCo", well, we don't review every change to upstream packages in this
way... if we did, we'd be drowned in minutiae. I mean, I could have brought
the addition on how to add multiple IPv4 addresses to interfaces to FESCo
for discussion and vote, but I've got better things to do with my time.
In any case, I'm pretty sure it's not even intentional. systemd has
two areas of mounting:
- systemd mounts API filesystems without them needing to be in
/etc/fstab. This is for a variety of reasons - having every system
installer have to write /proc, /sys, and so on is pretty wasteful. It
also can give inexperienced admins the idea that it's configuration
that can be changed - they then rename the mount point from /proc
to /processes and *kaboom*.
- systemd mounts system filesystems from /etc/fstab. This includes
mount options, etc., and (I'd think) would be fairly uncontroversial.
The first of these happens before the second (as you obviously need
/proc, /sys, etc. very early), however systemd already has
/lib/systemd/system/systemd-remount-api-vfs.service:
...
[Unit]
Description=Remount API VFS
...
ExecStart=/lib/systemd/systemd-remount-api-vfs
...
And if you look at that code:
/* Goes through /etc/fstab and remounts all API file systems, applying
* options that are in /etc/fstab that systemd might not have
* respected */
So, it just looks like an ordinary bug. File it, we can get it fixed,
and we can all live happily ever after.
Bill
More information about the devel
mailing list