[LSF/MM/BPF TOPIC] Refactor LSM hooks for VFS mount operations
Casey Schaufler
casey at schaufler-ca.com
Thu Jan 22 16:56:01 UTC 2026
On 1/21/2026 7:00 PM, Song Liu wrote:
> Hi Paul,
>
> On Wed, Jan 21, 2026 at 4:14 PM Paul Moore <paul at paul-moore.com> wrote:
>> On Wed, Jan 21, 2026 at 4:18 PM Song Liu <song at kernel.org> wrote:
>>> Current LSM hooks do not have good coverage for VFS mount operations.
>>> Specifically, there are the following issues (and maybe more..):
>> I don't recall LSM folks normally being invited to LSFMMBPF so it
>> seems like this would be a poor forum to discuss LSM hooks.
> Agreed this might not be the best forum to discuss LSM hooks.
> However, I am not aware of a better forum for in person discussions.
>
> AFAICT, in-tree LSMs have straightforward logics around mount
> monitoring. As long as we get these logic translated properly, I
> don't expect much controversy with in-tree LSMs.
The existing mount hooks can't handle multiple LSMs that provide
mount options. Fixing this has proven non-trivial. Changes to LSM
hooks have to be discussed on the LSM email list, regardless of how
little impact it seems they might have.
>
>>> PS: I am not sure whether other folks are already working on it. I will prepare
>>> some RFC patches before the conference if I don't see other proposals.
>> FWIW, I'm not aware of anyone currently working on revising the mount
>> hooks, but it's possible. Posting a patchset, even an early RFC
>> draft, is always a good way to find out who might be working in the
>> same space :)
>>
>> Posting to the mailing list also has the advantage of reaching
>> everyone who might be interested, whereas discussing this at a
>> conference, especially one that is invite-only, is limiting.
> I expect there will be RFCs posted to the mailing list before the
> conference. We will incorporate feedbacks from the mailing list
> to make the discussion more productive at the conference. It is
> totally possible that some patches get accepted before the
> conference, so that we can simply celebrate at the conference. :)
>
> Thanks,
> Song
>
More information about the Linux-security-module-archive
mailing list