On 2026/05/09 10:52, Song Liu wrote: > Replace tomoyo_sb_mount() with granular mount hooks. Each hook > reconstructs the MS_* flags expected by tomoyo_mount_permission() > using the original flags parameter where available.
Please fold below diff into this patch. Then, Acked-by: Tetsuo Handa <[email protected]> --- security/tomoyo/tomoyo.c | 60 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index ac84e1f03d5e..c93d000acc95 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -400,6 +400,15 @@ static int tomoyo_path_chroot(const struct path *path) return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL); } +/** + * tomoyo_mount_bind - Target for security_mount_bind(). + * + * @from: Pointer to "struct path". + * @to: Pointer to "struct path". + * @recurse: Whether recursive bind mount or not. + * + * Returns 0 on success, negative value otherwise. + */ static int tomoyo_mount_bind(const struct path *from, const struct path *to, bool recurse) { @@ -408,6 +417,17 @@ static int tomoyo_mount_bind(const struct path *from, const struct path *to, return tomoyo_mount_permission(NULL, to, NULL, flags, from); } +/** + * tomoyo_mount_new - Target for security_mount_new(). + * + * @fc: Pointer to "struct fs_context". + * @mp: Pointer to "struct path". + * @mnt_flags: Mount options. + * @flags: Original mount options. + * @data: Optional data. Maybe NULL. + * + * Returns 0 on success, negative value otherwise. + */ static int tomoyo_mount_new(struct fs_context *fc, const struct path *mp, int mnt_flags, unsigned long flags, void *data) { @@ -416,6 +436,17 @@ static int tomoyo_mount_new(struct fs_context *fc, const struct path *mp, flags, NULL); } +/** + * tomoyo_mount_remount - Target for security_mount_remount(). + * + * @fc: Pointer to "struct fs_context". + * @mp: Pointer to "struct path". + * @mnt_flags: Mount options. + * @flags: Original mount options. + * @data: Optional data. Maybe NULL. + * + * Returns 0 on success, negative value otherwise. + */ static int tomoyo_mount_remount(struct fs_context *fc, const struct path *mp, int mnt_flags, unsigned long flags, void *data) { @@ -423,6 +454,15 @@ static int tomoyo_mount_remount(struct fs_context *fc, const struct path *mp, return tomoyo_mount_permission(NULL, mp, NULL, flags, NULL); } +/** + * tomoyo_mount_reconfigure - Target for security_mount_reconfigure(). + * + * @mp: Pointer to "struct path". + * @mnt_flags: Mount options. + * @flags: Original mount options. + * + * Returns 0 on success, negative value otherwise. + */ static int tomoyo_mount_reconfigure(const struct path *mp, unsigned int mnt_flags, unsigned long flags) @@ -431,12 +471,28 @@ static int tomoyo_mount_reconfigure(const struct path *mp, return tomoyo_mount_permission(NULL, mp, NULL, flags, NULL); } +/** + * tomoyo_mount_change_type - Target for security_mount_change_type(). + * + * @mp: Pointer to "struct path". + * @ms_flags: Mount options. + * + * Returns 0 on success, negative value otherwise. + */ static int tomoyo_mount_change_type(const struct path *mp, int ms_flags) { return tomoyo_mount_permission(NULL, mp, NULL, ms_flags, NULL); } -static int tomoyo_move_mount(const struct path *from_path, +/** + * tomoyo_mount_move - Target for security_mount_move(). + * + * @from_path: Pointer to "struct path". + * @to_path: Pointer to "struct path". + * + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_mount_move(const struct path *from_path, const struct path *to_path) { return tomoyo_mount_permission(NULL, to_path, NULL, MS_MOVE, @@ -609,7 +665,7 @@ static struct security_hook_list tomoyo_hooks[] __ro_after_init = { LSM_HOOK_INIT(mount_remount, tomoyo_mount_remount), LSM_HOOK_INIT(mount_reconfigure, tomoyo_mount_reconfigure), LSM_HOOK_INIT(mount_change_type, tomoyo_mount_change_type), - LSM_HOOK_INIT(mount_move, tomoyo_move_mount), + LSM_HOOK_INIT(mount_move, tomoyo_mount_move), LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount), LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot), LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind), -- 2.47.3
