cryptohome: Apply noexec/nosuid to user homes.
Platform::Bind() appears to make bind mounts with some
restrictive options (noexec/nosuid/nodev) enabled, but those
options are actually ignored by mount(2) when a new bind-mount
is created. Instead, we have to call mount(2) again to remount
the bind mount with additional options.
This causes user home directories to be mounted without those
restrictive options when dircrypto is enabled.
BUG=b:37446789
TEST=Manually login and verify /home/chronos/user is mounted
with noexec/nosuid/nodev.
TEST=test_that caroline cheets_FileSystemPermissions
TEST=test_that caroline platform_CryptohomeMount
TEST=test_that caroline platform_FilePerms
Change-Id: I385f957412fcdb637f6b454e54550f216328b4e3
Reviewed-on: https://chromium-review.googlesource.com/479473
Commit-Ready: Shuhei Takahashi <nya@chromium.org>
Tested-by: Shuhei Takahashi <nya@chromium.org>
Reviewed-by: Ryo Hashimoto <hashimoto@chromium.org>
(cherry picked from commit 0df0cdd6d2cdecb994485ea4b783c341457d9914)
Reviewed-on: https://chromium-review.googlesource.com/481520
Reviewed-by: Shuhei Takahashi <nya@chromium.org>
Commit-Queue: Shuhei Takahashi <nya@chromium.org>
1 file changed
