[PATCH 02/10] vfs: syscall: Add move_mount(2) to move mounts around

James Morris jmorris at namei.org
Tue Jul 23 21:45:07 UTC 2019


On Mon, 8 Jul 2019, Al Viro wrote:

> On Mon, Jul 08, 2019 at 07:01:32PM +0100, Al Viro wrote:
> > On Mon, Jul 08, 2019 at 12:12:21PM -0500, Eric W. Biederman wrote:
> > 
> > > Al you do realize that the TOCTOU you are talking about comes the system
> > > call API.  TOMOYO can only be faulted for not playing in their own
> > > sandbox and not reaching out and fixing the vfs implementation details.
> 
> PS: the fact that mount(2) has been overloaded to hell and back (including
> MS_MOVE, which goes back to v2.5.0.5) predates the introduction of ->sb_mount()
> and LSM in general (2.5.27).  MS_BIND is 2.4.0-test9pre2.
> 
> In all the years since the introduction of ->sb_mount() I've seen zero
> questions from LSM folks regarding a sane place for those checks.  What I have
> seen was "we want it immediately upon the syscall entry, let the module
> figure out what to do" in reply to several times I tried to tell them "folks,
> it's called in a bad place; you want the checks applied to objects, not to
> raw string arguments".
> 
> As it is, we have easily bypassable checks on mount(2) (by way of ->sb_mount();
> there are other hooks also in the game for remounts and new mounts).

What are your recommendations for placing these checks?

-- 
James Morris
<jmorris at namei.org>



More information about the Linux-security-module-archive mailing list