From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: Skip fuse FS by /usr/libexec/security
To: OpenBSD tech <tech@openbsd.org>
Date: Wed, 01 May 2024 18:00:24 +0200

Anyone?

"Kirill A. Korinsky" <kirill@korins.ky> wrote:
> 
> Greetings,
> 
> With this diff security(8) skips not only non-local filesystem but also
> filesystem which was moundted via FUSE.
> 
> diff --git libexec/security/security libexec/security/security
> index 12ae7d631c3..caed0b71247 100644
> --- libexec/security/security
> +++ libexec/security/security
> @@ -534,14 +534,14 @@ sub find_special_files {
>  	%skip = map { $_ => 1 } split ' ', $ENV{SUIDSKIP}
>  	    if $ENV{SUIDSKIP};
>  
> -	# Add mount points of non-local file systems
> +	# Add mount points of non-local and fuse file systems
>  	# to the list of directories to skip.
>  	nag !(open my $fh, '-|', 'mount'),
>  	    "cannot spawn mount: $!"
>  	    and return;
>  	while (<$fh>) {
> -		my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/;
> -		push @fs, $path if $path && $opt =~ /local/ &&
> +		my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)\s+(.*)/;
> +		push @fs, $path if $path && $opt =~ /local/ && $type == /fuse/ &&
>  		    !($opt =~ /nodev/ && $opt =~ /nosuid/);
>  	}
>  	close_or_nag $fh, "mount" or return;
> 
> 
> -- 
> wbr, Kirill

-- 
wbr, Kirill