[LSF/MM/BPF TOPIC] Refactor LSM hooks for VFS mount operations
Song Liu
song at kernel.org
Wed Jan 21 19:54:18 UTC 2026
Current LSM hooks do not have good coverage for VFS mount operations.
Specifically, there are the following issues (and maybe more..):
1. security_sb_mount suffers from the TOCTOU bug for bind mount and
move mount [1];
2. There is not sufficient coverage for new mount syscalls (open_tree, fspick,
etc.) [2].
A key consideration of this refactor is to minimize lock contention, especially
around namespace_sem.
I also want to discuss what features in the kernel side (kfuncs,
iterators, etc.)
are needed to enable reliable monitoring of mount operations in BPF LSM.
Thanks,
Song
PS: I am not sure whether other folks are already working on it. I will prepare
some RFC patches before the conference if I don't see other proposals.
[1] https://lore.kernel.org/bpf/20251130064609.GR3538@ZenIV/
[2] https://lore.kernel.org/linux-security-module/20250711-pfirsich-worum-c408f9a14b13@brauner/
More information about the Linux-security-module-archive
mailing list