[PATCH v5 7/8] vfs: Replace security_sb_mount/security_move_mount with granular hooks
Song Liu
song at kernel.org
Thu Jun 18 10:56:42 UTC 2026
On Wed, Jun 17, 2026 at 9:53 PM Christian Brauner <brauner at kernel.org> wrote:
>
> On Thu, May 28, 2026 at 11:26:06AM -0700, Song Liu wrote:
[...]
> >
> > + err = security_mount_bind(&old_path, path, recurse);
> > + if (err)
> > + return err;
>
> This again is racy as it is called outside of the namespace semaphore:
>
> err = security_mount_bind(&old_path, path, recurse);
> if (err)
> return err;
>
> if (mnt_ns_loop(old_path.dentry))
> return -EINVAL;
>
> LOCK_MOUNT(mp, path);
> if (IS_ERR(mp.parent))
> return PTR_ERR(mp.parent);
>
> After LOCK_MOUNT @path might point to a completely different mount then
> the one you performed your security checks on.
I thought we agreed at LSF/MM/BPF 2026 to add the LSM hooks
before taking namespace semaphore, so that it is possible for LSMs
to defend against DoS attacks on namespace semaphore? Did I
miss/misunderstand something?
> > +
> > if (mnt_ns_loop(old_path.dentry))
> > return -EINVAL;
> >
[...]
> >
> > err = parse_monolithic_mount_data(fc, data);
> > + if (!err)
> > + err = security_mount_remount(fc, path, mnt_flags, flags,
> > + data);
> > if (!err) {
> > down_write(&sb->s_umount);
> > err = -EPERM;
> > @@ -3708,6 +3724,10 @@ static int do_move_mount_old(const struct path *path, const char *old_name)
> > if (err)
> > return err;
> >
> > + err = security_mount_move(&old_path, path);
> > + if (err)
> > + return err;
>
> Placement of this hook suffers from the same issue as the bind mount
> hook. Here it's worse because the security layer isn't even informed
> about MOVE_MOUNT_BENEATH which completely alters the mount relationship.
Current hook security_move_mount doesn't handle
MOVE_MOUNT_BENEATH. But we can add mflags to security_mount_move().
Do we need anything other than mflags?
Thanks,
Song
More information about the Linux-security-module-archive
mailing list