On Fri, May 8, 2026 at 1:10 PM Paul Moore <[email protected]> wrote: > > On Wed, Apr 29, 2026 at 8:03 PM Song Liu <[email protected]> wrote: > > > > Add six new LSM hooks for mount operations: > > > > - mount_bind(from, to, recurse): bind mount with pre-resolved > > struct path for source and destination. > > - mount_new(fc, mp, mnt_flags, flags, data): new mount, called after > > mount options are parsed. The flags and data parameters carry the > > original mount(2) flags and data for LSMs that need them (AppArmor, > > Tomoyo). > > - mount_remount(fc, mp, mnt_flags, flags, data): filesystem remount, > > called after mount options are parsed into the fs_context. > > - mount_reconfigure(mp, mnt_flags, flags): mount flag reconfiguration > > (MS_REMOUNT|MS_BIND path). > > - mount_move(from, to): move mount with pre-resolved paths. > > - mount_change_type(mp, ms_flags): propagation type changes. > > > > These replace the monolithic security_sb_mount() which conflates > > multiple distinct operations into a single hook, and suffers from > > TOCTOU issues where LSMs re-resolve string-based dev_name via > > kern_path(). > > > > The mount_move hook is added alongside the existing move_mount hook. > > During the transition, LSMs register for both hooks. The move_mount > > hook will be removed once all LSMs have been converted. > > > > Some LSMs, such as apparmor and tomoyo, audit the original input passed > > in the mount syscall. To keep the same behavior, argument data and flags > > are passed in do_* functions. These can be removed if these LSMs no > > longer need these information. > > > > All new hooks are registered as sleepable BPF LSM hooks. > > > > Code generated with the assistance of Claude, reviewed by human. > > > > Reviewed-by: Stephen Smalley <[email protected]> > > Tested-by: Stephen Smalley <[email protected]> # for selinux > > only > > Signed-off-by: Song Liu <[email protected]> > > --- > > fs/namespace.c | 35 ++++++++++-- > > include/linux/lsm_hook_defs.h | 12 ++++ > > include/linux/security.h | 50 +++++++++++++++++ > > kernel/bpf/bpf_lsm.c | 7 +++ > > security/security.c | 101 ++++++++++++++++++++++++++++++++++ > > 5 files changed, 199 insertions(+), 6 deletions(-) > > ... > > > @@ -3708,6 +3724,10 @@ static int do_move_mount_old(const struct path > > *path, const char *old_name) > > if (err) > > return err; > > > > + err = security_mount_move(&old_path, path); > > + if (err) > > + return err; > > + > > return do_move_mount(&old_path, path, 0); > > } > > While the security_sb_mount() hook calls into do_move_mount_old(), the > security_move_mount() hook calls into do_mount_mount(). As you remove > both of these LSM hooks in patch 7/7, should we consider moving the > new security_mount_move() into do_move_mount()? If not, how do we > ensure that we don't lose coverage when removing the > security_move_mount() hook, or can you explain why it is not needed?
Patch 7/7 _replaces_ security_move_mount() with security_mount_move() in vfs_move_mount(). IOW, security_mount_move() is called from both vfs_move_mount() and do_move_mount_old(), so we are not losing any coverage. Did I miss something? vfs_move_mount() has a special case (MNT_TREE_PROPAGATION). If we move the hook to do_move_mount(), we are missing the coverage for this case. Therefore, I think current code as-is is the best design at this point. Does this make sense? Thanks, Song
