On May 8, 2026 Song Liu <[email protected]> wrote: > > Replace AppArmor's monolithic apparmor_sb_mount() with granular > mount hooks. > > Key changes: > - mount_bind: uses the pre-resolved struct path from VFS instead of > re-resolving dev_name via kern_path(), eliminating a TOCTOU > vulnerability. aa_bind_mount() now takes a struct path instead of > a string for the source. > - mount_new, mount_remount: receive the original mount(2) flags and > data parameters for policy matching via match_mnt_flags() and > AA_MNT_CONT_MATCH data matching. > - mount_reconfigure: handles MS_REMOUNT|MS_BIND (mount attribute > reconfiguration) which was previously handled as a remount. > - mount_move: reuses apparmor_move_mount() which already handles > pre-resolved paths. > - mount_change_type: propagation type changes. > > aa_move_mount_old() is removed since move mounts now go through > security_mount_move() with pre-resolved struct path pointers for > both the old mount(2) and new move_mount(2) APIs. > > Code generated with the assistance of Claude, reviewed by human. > > Signed-off-by: Song Liu <[email protected]> > --- > security/apparmor/include/mount.h | 5 +- > security/apparmor/lsm.c | 99 ++++++++++++++++++++++++------- > security/apparmor/mount.c | 37 ++---------- > 3 files changed, 83 insertions(+), 58 deletions(-)
John, Georgia, are you guys okay with this patch? -- paul-moore.com
