The following options apply to any filesystem that is being mounted
(but not every filesystem actually honors them - e.g., the sync option
today has effect only for ext2, ext3, fat, vfat and ufs):
async All I/O to the filesystem should be done asynchronously. (See
also the sync option.)
atime Update inode access time for each access. See also the stricta‐
time mount option.
noatime
Do not update inode access times on this filesystem (e.g, for
faster access on the news spool to speed up news servers).
auto Can be mounted with the -a option.(开机自动mount)
noauto Can only be mounted explicitly (i.e., the -a option will not
cause the filesystem to be mounted).
context=context, fscontext=context, defcontext=context and rootcon‐
text=context
The context= option is useful when mounting filesystems that do
not support extended attributes, such as a floppy or hard disk
formatted with VFAT, or systems that are not normally running
under SELinux, such as an ext3 formatted disk from a non-SELinux
workstation. You can also use context= on filesystems you do not
trust, such as a floppy. It also helps in compatibility with
xattr-supporting filesystems on earlier 2.4.<x> kernel versions.
Even where xattrs are supported, you can save time not having to
label every file by assigning the entire disk one security con‐
text.
A commonly used option for removable media is context=sys‐
tem_u:object_r:removable_t.
Two other options are fscontext= and defcontext=, both of which
are mutually exclusive of the context option. This means you can
use fscontext and defcontext with each other, but neither can be
used with context.
The fscontext= option works for all filesystems, regardless of
their xattr support. The fscontext option sets the overarching
filesystem label to a specific security context. This filesystem
label is separate from the individual labels on the files. It
represents the entire filesystem for certain kinds of permission
checks, such as during mount or file creation. Individual file
labels are still obtained from the xattrs on the files them‐
selves. The context option actually sets the aggregate context
that fscontext provides, in addition to supplying the same label
for individual files.
You can set the default security context for unlabeled files
using defcontext= option. This overrides the value set for unla‐
beled files in the policy and requires a filesystem that sup‐
ports xattr labeling.
The rootcontext= option allows you to explicitly label the root
inode of a FS being mounted before that FS or inode because vis‐
able to userspace. This was found to be useful for things like
stateless linux.
For more details, see selinux(8)
defaults
Use default options: rw, suid, dev, exec, auto, nouser, and
async.
dev Interpret character or block special devices on the filesystem.
nodev Do not interpret character or block special devices on the file
system.
diratime
Update directory inode access times on this filesystem. This is
the default.
nodiratime
Do not update directory inode access times on this filesystem.
dirsync
All directory updates within the filesystem should be done syn‐
chronously. This affects the following system calls: creat,
link, unlink, symlink, mkdir, rmdir, mknod and rename.
exec Permit execution of binaries.
noexec Do not allow direct execution of any binaries on the mounted
filesystem. (Until recently it was possible to run binaries
anyway using a command like /lib/ld*.so /mnt/binary. This trick
fails since Linux 2.4.25 / 2.6.0.)
group Allow an ordinary (i.e., non-root) user to mount the filesystem
if one of his groups matches the group of the device. This
option implies the options nosuid and nodev (unless overridden
by subsequent options, as in the option line group,dev,suid).
encryption
Specifies an encryption algorithm to use. Used in conjunction
with the loop option.
keybits
Specifies the key size to use for an encryption algorithm. Used
in conjunction with the loop and encryption options. nofail Do
not report errors for this device if it does not exist. iver‐
sion Every time the inode is modified, the i_version field will
be incremented.
noiversion
Do not increment the i_version inode field.
mand Allow mandatory locks on this filesystem. See fcntl(2).
nomand Do not allow mandatory locks on this filesystem.
_netdev
The filesystem resides on a device that requires network access
(used to prevent the system from attempting to mount these
filesystems until the network has been enabled on the system).
nofail Do not report errors for this device if it does not exist.
relatime
Update inode access times relative to modify or change time.
Access time is only updated if the previous access time was ear‐
lier than the current modify or change time. (Similar to noat‐
ime, but doesn't break mutt or other applications that need to
know if a file has been read since the last time it was modi‐
fied.)
norelatime
Do not use relatime feature. See also the strictatime mount
option.
strictatime
Allows to explicitly requesting full atime updates. This makes
it possible for kernel to defaults to relatime or noatime but
still allow userspace to override it. For more details about the
default system mount options see /proc/mounts.
nostrictatime
Use the kernel's default behaviour for inode access time
updates.
suid Allow set-user-identifier or set-group-identifier bits to take
effect.
nosuid Do not allow set-user-identifier or set-group-identifier bits to
take effect. (This seems safe, but is in fact rather unsafe if
you have suidperl(1) installed.)
owner Allow an ordinary (i.e., non-root) user to mount the filesystem
if he is the owner of the device. This option implies the
options nosuid and nodev (unless overridden by subsequent
options, as in the option line owner,dev,suid).
remount
Attempt to remount an already-mounted filesystem. This is com‐
monly used to change the mount flags for a filesystem, espe‐
cially to make a readonly filesystem writeable. It does not
change device or mount point.
The remount functionality follows the standard way how the mount
command works with options from fstab. It means the mount com‐
mand doesn't read fstab (or mtab) only when a device and dir are
fully specified.
mount -o remount,rw /dev/foo /dir
After this call all old mount options are replaced and arbitrary
stuff from fstab is ignored, except the loop= option which is
internally generated and maintained by the mount command.
mount -o remount,rw /dir
After this call mount reads fstab (or mtab) and merges these
options with options from command line ( -o ).
ro Mount the filesystem read-only.
rw Mount the filesystem read-write.
sync All I/O to the filesystem should be done synchronously. In case
of media with limited number of write cycles (e.g. some flash
drives) "sync" may cause life-cycle shortening.
user Allow an ordinary user to mount the filesystem. The name of the
mounting user is written to mtab so that he can unmount the
filesystem again. This option implies the options noexec,
nosuid, and nodev (unless overridden by subsequent options, as
in the option line user,exec,dev,suid).
nouser Forbid an ordinary (i.e., non-root) user to mount the filesys‐
tem. This is the default.
users Allow every user to mount and unmount the filesystem. This
option implies the options noexec, nosuid, and nodev (unless
overridden by subsequent options, as in the option line
users,exec,dev,suid).