[LSF/MM/BPF TOPIC] Refactor LSM hooks for VFS mount operations
Song Liu
song at kernel.org
Thu Jan 22 23:01:12 UTC 2026
Hi Casey,
Thanks for your comments!
On Thu, Jan 22, 2026 at 9:16 AM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> On 1/21/2026 7:00 PM, Song Liu wrote:
> > Hi Paul,
> >
> > On Wed, Jan 21, 2026 at 4:14 PM Paul Moore <paul at paul-moore.com> wrote:
> >> On Wed, Jan 21, 2026 at 4:18 PM Song Liu <song at kernel.org> wrote:
> >>> Current LSM hooks do not have good coverage for VFS mount operations.
> >>> Specifically, there are the following issues (and maybe more..):
> >> I don't recall LSM folks normally being invited to LSFMMBPF so it
> >> seems like this would be a poor forum to discuss LSM hooks.
> > Agreed this might not be the best forum to discuss LSM hooks.
> > However, I am not aware of a better forum for in person discussions.
> >
> > AFAICT, in-tree LSMs have straightforward logics around mount
> > monitoring. As long as we get these logic translated properly, I
> > don't expect much controversy with in-tree LSMs.
>
> The existing mount hooks can't handle multiple LSMs that provide
> mount options. Fixing this has proven non-trivial.
Could you please share more information about this issue?
> Changes to LSM
> hooks have to be discussed on the LSM email list, regardless of how
> little impact it seems they might have.
I don't think we're gonna ship anything without thorough discussions in
the mailing list.
Thanks,
Song
More information about the Linux-security-module-archive
mailing list