kernfs: The cgroup filesystem also benefits from SB_I_NOEXEC

The cgroup filesystem is in the same boat as sysfs.  No one ever
permits executables of any kind on the cgroup filesystem, and there is
no reasonable future case to support executables in the future.

Therefore move the setting of SB_I_NOEXEC which makes the code proof
against future mistakes of accidentally creating executables from
sysfs to kernfs itself.  Making the code simpler and covering the
sysfs, cgroup, and cgroup2 filesystems.

Acked-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

2 files changed, 3 insertions, 2 deletions

diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c
index d90d574c15a2..1443df670260 100644
--- a/fs/kernfs/mount.c
+++ b/fs/kernfs/mount.c
@@ -152,6 +152,8 @@ static int kernfs_fill_super(struct super_block *sb, unsigned long magic)
         struct dentry *root;
 
         info->sb = sb;
+        /* Userspace would break if executables appear on sysfs */
+        sb->s_iflags |= SB_I_NOEXEC;
         sb->s_blocksize = PAGE_SIZE;
         sb->s_blocksize_bits = PAGE_SHIFT;
         sb->s_magic = magic;
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index f31e36994dfb..20b8f82e115b 100644
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -41,8 +41,7 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
         if (IS_ERR(root) || !new_sb)
                 kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
         else if (new_sb)
-                /* Userspace would break if executables appear on sysfs */
-                root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC;
+                root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
 
         return root;
 }