[PATCH v3 3/7] apparmor: Convert from sb_mount to granular mount hooks
Paul Moore
paul at paul-moore.com
Mon May 11 19:52:44 UTC 2026
On May 8, 2026 Song Liu <song at kernel.org> wrote:
>
> Replace AppArmor's monolithic apparmor_sb_mount() with granular
> mount hooks.
>
> Key changes:
> - mount_bind: uses the pre-resolved struct path from VFS instead of
> re-resolving dev_name via kern_path(), eliminating a TOCTOU
> vulnerability. aa_bind_mount() now takes a struct path instead of
> a string for the source.
> - mount_new, mount_remount: receive the original mount(2) flags and
> data parameters for policy matching via match_mnt_flags() and
> AA_MNT_CONT_MATCH data matching.
> - mount_reconfigure: handles MS_REMOUNT|MS_BIND (mount attribute
> reconfiguration) which was previously handled as a remount.
> - mount_move: reuses apparmor_move_mount() which already handles
> pre-resolved paths.
> - mount_change_type: propagation type changes.
>
> aa_move_mount_old() is removed since move mounts now go through
> security_mount_move() with pre-resolved struct path pointers for
> both the old mount(2) and new move_mount(2) APIs.
>
> Code generated with the assistance of Claude, reviewed by human.
>
> Signed-off-by: Song Liu <song at kernel.org>
> ---
> security/apparmor/include/mount.h | 5 +-
> security/apparmor/lsm.c | 99 ++++++++++++++++++++++++-------
> security/apparmor/mount.c | 37 ++----------
> 3 files changed, 83 insertions(+), 58 deletions(-)
John, Georgia, are you guys okay with this patch?
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list