diff --git a/Kernel/FileSystem/VirtualFileSystem.cpp b/Kernel/FileSystem/VirtualFileSystem.cpp index a0103bc3045..ccdf1931829 100644 --- a/Kernel/FileSystem/VirtualFileSystem.cpp +++ b/Kernel/FileSystem/VirtualFileSystem.cpp @@ -216,11 +216,13 @@ KResultOr> VFS::open(StringView path, int options should_truncate_file = options & O_TRUNC; } if (options & O_EXEC) { - if (!metadata.may_execute(current->process())) + if (!metadata.may_execute(current->process()) || (custody.mount_flags() & MS_NOEXEC)) return KResult(-EACCES); } if (metadata.is_device()) { + if (custody.mount_flags() & MS_NODEV) + return KResult(-EACCES); auto device = Device::get_device(metadata.major_device, metadata.minor_device); if (device == nullptr) { return KResult(-ENODEV); diff --git a/Kernel/FileSystem/VirtualFileSystem.h b/Kernel/FileSystem/VirtualFileSystem.h index 13f7b7803f0..1a7f5809972 100644 --- a/Kernel/FileSystem/VirtualFileSystem.h +++ b/Kernel/FileSystem/VirtualFileSystem.h @@ -28,6 +28,11 @@ #define O_DIRECT 04000000 #define O_NOFOLLOW_NOERROR 0x4000000 +#define MS_NODEV 1 +#define MS_NOEXEC 2 +#define MS_NOSUID 4 +#define MS_BIND 8 + class Custody; class Device; class FileDescription; diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp index 74dc5811384..81e382e86e8 100644 --- a/Kernel/Process.cpp +++ b/Kernel/Process.cpp @@ -750,10 +750,12 @@ int Process::do_exec(String path, Vector arguments, Vector envir // Copy of the master TLS region that we will clone for new threads m_master_tls_region = master_tls_region; - if (metadata.is_setuid()) - m_euid = metadata.uid; - if (metadata.is_setgid()) - m_egid = metadata.gid; + if (!(description->custody()->mount_flags() & MS_NOSUID)) { + if (metadata.is_setuid()) + m_euid = metadata.uid; + if (metadata.is_setgid()) + m_egid = metadata.gid; + } current->set_default_signal_dispositions(); current->m_signal_mask = 0; diff --git a/Libraries/LibC/unistd.h b/Libraries/LibC/unistd.h index bfecbbfbdf3..1fd5b870b5b 100644 --- a/Libraries/LibC/unistd.h +++ b/Libraries/LibC/unistd.h @@ -128,6 +128,11 @@ enum { #define X_OK 1 #define F_OK 0 +#define MS_NODEV 1 +#define MS_NOEXEC 2 +#define MS_NOSUID 4 +#define MS_BIND 8 + /* * We aren't fully compliant (don't support policies, and don't have a wide * range of values), but we do have process priorities.