Thread (16 messages) 16 messages, 5 authors, 2025-07-16

Re: [RFC] vfs: security: Parse dev_name before calling security_sb_mount

From: Song Liu <hidden>
Date: 2025-07-10 17:00:22
Also in: bpf, linux-fsdevel, lkml, selinux

On Jul 10, 2025, at 4:46 AM, Christian Brauner [off-list ref] wrote:
[...]
quoted
Right now, we have security_sb_mount and security_move_mount, for 
syscall “mount” and “move_mount” respectively. This is confusing 
because we can also do move mount with syscall “mount”. How about 
we create 5 different security hooks:

security_bind_mount
security_new_mount
security_reconfigure_mount
security_remount
security_change_type_mount

and remove security_sb_mount. After this, we will have 6 hooks for
each type of mount (the 5 above plus security_move_mount).
I've multiple times pointed out that the current mount security hooks
aren't working and basically everything in the new mount api is
unsupervised from an LSM perspective.
To make sure I understand the comment. By “new mount api”, do you mean 
the code path under do_new_mount()? 
My recommendation is make a list of all the currently supported
security_*() hooks in the mount code (I certainly don't have them in my
head). Figure out what each of them allow to mediate effectively and how
the callchains are related.

Then make a proposal how to replace them with something that a) doesn't
cause regressions which is probably something that the LSMs care about
and b) that covers the new mount API sufficiently to be properly
mediated.

I'll happily review proposals. Fwiw, I'm pretty sure that this is
something that Mickael is interested in as well.
So we will consider a proper redesign of LSM hooks for mount syscalls, 
but we do not want incremental improvements like this one. Do I get 
the direction right?

Thanks,
Song
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help