From 88409e983c463b6d9c8085e7fdbe7ff45b3c5184 Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@google.com>
Date: Thu, 4 Apr 2019 17:42:51 -0700
Subject: gvisor: Add support for the MS_NOEXEC mount option

https://github.com/google/gvisor/issues/145

PiperOrigin-RevId: 242044115
Change-Id: I8f140fe05e32ecd438b6be218e224e4b7fe05878
---
 pkg/sentry/syscalls/linux/sys_mount.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'pkg/sentry/syscalls/linux')

diff --git a/pkg/sentry/syscalls/linux/sys_mount.go b/pkg/sentry/syscalls/linux/sys_mount.go
index 6b8d75d24..e110a553f 100644
--- a/pkg/sentry/syscalls/linux/sys_mount.go
+++ b/pkg/sentry/syscalls/linux/sys_mount.go
@@ -75,7 +75,7 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
 
 	// Silently allow MS_NOSUID, since we don't implement set-id bits
 	// anyway.
-	const unsupportedFlags = linux.MS_NODEV | linux.MS_NOEXEC |
+	const unsupportedFlags = linux.MS_NODEV |
 		linux.MS_NODIRATIME | linux.MS_STRICTATIME
 
 	// Linux just allows passing any flags to mount(2) - it won't fail when
@@ -100,6 +100,9 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
 	if flags&linux.MS_RDONLY == linux.MS_RDONLY {
 		superFlags.ReadOnly = true
 	}
+	if flags&linux.MS_NOEXEC == linux.MS_NOEXEC {
+		superFlags.NoExec = true
+	}
 
 	rootInode, err := rsys.Mount(t, sourcePath, superFlags, data, nil)
 	if err != nil {
-- 
cgit v1.2.3