diff options
| author |   schwarze <schwarze@openbsd.org> | 2020-09-14 14:43:13 +0000 |
|---|---|---|
| committer | schwarze <schwarze@openbsd.org> | 2020-09-14 14:43:13 +0000 |
| commit | 0a0d7ac4dfb968623be53fdf206413eca1ce8a24 (patch) | |
| tree | c2d17af7cfbba2b3db68f427cb13224f50be1fc6 | |
| parent | simplify RETURN VALUES for x509_verify(3) after beck@ made the rules (diff) | |
| download | wireguard-openbsd-0a0d7ac4dfb968623be53fdf206413eca1ce8a24.tar.xz wireguard-openbsd-0a0d7ac4dfb968623be53fdf206413eca1ce8a24.zip | |
Do not bother scanning file systems that are both nodev and nosuid
for SUID, SGID, and device files, implementing an idea that deraadt@
came up with based on a somewhat similar idea from millert@ after
a loosely related comment from Rupert Gallagher on misc@.
While here, minimally simplify the way mount options are parsed,
hoping to make the parsing more readable and also more robust.
OK millert@ deraadt@
| -rw-r--r-- | libexec/security/security | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/libexec/security/security b/libexec/security/security index 2a037d54d98..cf6dfd7822d 100644 --- a/libexec/security/security +++ b/libexec/security/security @@ -1,6 +1,6 @@ #!/usr/bin/perl -T -# $OpenBSD: security,v 1.38 2016/12/27 09:17:52 jca Exp $ +# $OpenBSD: security,v 1.39 2020/09/14 14:43:13 schwarze Exp $ # # Copyright (c) 2011, 2012, 2014, 2015 Ingo Schwarze <schwarze@openbsd.org> # Copyright (c) 2011 Andrew Fresh <andrew@afresh1.com> @@ -540,9 +540,10 @@ sub find_special_files { "cannot spawn mount: $!" and return; while (<$fh>) { - my ($path, $type) = /\son\s+(.*?)\s+type\s+(\w+)/; + my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)(.*)/; $skip{$path} = 1 if $path && - ($type =~ /^(?:a|nnp|proc)fs$/ || !/\(.*local.*\)/); + ($type =~ /^(?:a|nnp|proc)fs$/ || $opt !~ /local/ || + ($opt =~ /nodev/ && $opt =~ /nosuid/)); } close_or_nag $fh, "mount" or return; |