whyno mount check
layer 1: checks mount options — read-only blocks writes, noexec blocks execution
components
- process check_mount(state)
checks mount options: read-only blocks writes, noexec blocks execution
statvfs()fs/namespace.c - decision resolve target component
determines which path component in the walk is the check target
- degraded degraded: can't determine target
walk array too short to identify the target path component
- decision mount entry found?
checks if /proc/self/mountinfo has an entry for the target's device
- degraded degraded: no mount info
no mountinfo entry found for the target filesystem
- decision operation type?
branches on the requested operation to determine which mount flag matters — metadata ops are blocked by ro
- pass pass: always allowed
read and stat are never blocked by mount options
- decision read_only?
checks if the filesystem is mounted with the ro flag
- fail fail: filesystem mounted ro
write, delete, or create blocked by read-only mount
- pass pass: mount is rw
filesystem is mounted read-write, mount layer does not block
- decision noexec?
checks if the filesystem is mounted with the noexec flag
- fail fail: filesystem mounted noexec
execution blocked by noexec mount flag
- decision nosuid and target has suid/sgid?
nosuid mount strips suid/sgid bits at exec — warns but does not fail
- pass pass with warning: nosuid strips suid/sgid at exec
mount allows exec but nosuid strips suid/sgid elevation — advisory warning emitted
- pass pass: mount allows exec
filesystem allows execution with no caveats, mount layer does not block