pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts

* modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
noexec, nosuid, and nodev flags support.
* modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
filter out the flags.
(parse_method): Call the function.
(ns_setup): Apply the flags to the tmpfs mount.
* modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.

1 files changed, 8 insertions, 3 deletions

diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
index c7698cb4..a94b49e2 100644
--- a/modules/pam_namespace/namespace.conf.5.xml
+++ b/modules/pam_namespace/namespace.conf.5.xml
@@ -122,9 +122,14 @@
     <para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
       - value of this flag is passed to the mount call when the tmpfs mount is
       done. It allows for example the specification of the maximum size of the
-      tmpfs instance that is created by the mount call. See <citerefentry>
-      <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry> for details.
+      tmpfs instance that is created by the mount call. In addition to
+      options specified in the <citerefentry>
+      <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry> manual the <emphasis>nosuid</emphasis>,
+      <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags
+      can be used to respectively disable setuid bit effect, disable running
+      executables, and disable devices to be interpreted on the mounted
+      tmpfs filesystem.
     </para>
 
     <para>