--- zzzz-none-000/linux-4.9.279/fs/namespace.c 2021-08-08 06:38:54.000000000 +0000 +++ puma7-atom-6591-750/linux-4.9.279/fs/namespace.c 2023-02-08 11:43:43.000000000 +0000 @@ -7,6 +7,10 @@ * Based on code from fs/super.c, copyright Linus Torvalds and others. * Heavily rewritten. */ +/* + * Includes Intel Corporation's changes dated: 2019. + * Changed portions - Copyright 2019, Intel Corporation. + */ #include #include @@ -2759,6 +2763,10 @@ return data ? strndup_user(data, PAGE_SIZE) : NULL; } +#ifdef CONFIG_INTEL_MOUNT_EXEC_DISABLED +int mount_exec_disabled = 0; +#endif + /* * Flags is a 32-bit value that allows up to 31 non-fs dependent flags to * be given to the mount() call (ie: read-only, no-dev, no-suid etc). @@ -2811,6 +2819,13 @@ mnt_flags |= MNT_NOSUID; if (flags & MS_NODEV) mnt_flags |= MNT_NODEV; +#ifdef CONFIG_INTEL_MOUNT_EXEC_DISABLED + if (!(flags & MS_NOEXEC) && mount_exec_disabled) + { + retval = -EPERM; + goto dput_out; + } +#endif if (flags & MS_NOEXEC) mnt_flags |= MNT_NOEXEC; if (flags & MS_NOATIME)