Add "NOEXEC" mount flag for /run

Mount flags(nosuid, noexec, nodev) must be set for tmpfs that any app can access.

Change-Id: Ib60e8876abe2641a3dde6caab83a60afca017375
Signed-off-by: Yunmi Ha <yunmi.ha@samsung.com>

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index e88b1df..4752b0d 100644 (file)
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -91,12 +91,12 @@ static const MountPoint mount_table[] = {
         { "devpts",      "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
           NULL,          MNT_IN_CONTAINER           },
 #ifdef HAVE_SMACK
-        { "tmpfs",      "/run",                       "tmpfs",      "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",      "/run",                       "tmpfs",      "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME|MS_NOEXEC,
           mac_smack_use,  MNT_FATAL },
         { "tmpfs",      "/sys/fs/cgroup",             "tmpfs",      "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
           mac_smack_use,  MNT_IN_CONTAINER },
 #else
-        { "tmpfs",       "/run",                      "tmpfs",      "mode=755",                MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+        { "tmpfs",       "/run",                      "tmpfs",      "mode=755",                MS_NOSUID|MS_NODEV|MS_STRICTATIME|MS_NOEXEC,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "cgroup",      "/sys/fs/cgroup",            "cgroup2",    NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
           cg_is_unified_wanted, MNT_FATAL|MNT_IN_CONTAINER },