[PATCH v3 6/7] tomoyo: Convert from sb_mount to granular mount hooks

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Tue May 12 11:01:49 UTC 2026 

On 2026/05/09 10:52, Song Liu wrote:
> Replace tomoyo_sb_mount() with granular mount hooks. Each hook
> reconstructs the MS_* flags expected by tomoyo_mount_permission()
> using the original flags parameter where available.

Please fold below diff into this patch. Then,

Acked-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
---
 security/tomoyo/tomoyo.c | 60 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index ac84e1f03d5e..c93d000acc95 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -400,6 +400,15 @@ static int tomoyo_path_chroot(const struct path *path)
 	return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL);
 }
 
+/**
+ * tomoyo_mount_bind - Target for security_mount_bind().
+ *
+ * @from:    Pointer to "struct path".
+ * @to:      Pointer to "struct path".
+ * @recurse: Whether recursive bind mount or not.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
 static int tomoyo_mount_bind(const struct path *from, const struct path *to,
 			     bool recurse)
 {
@@ -408,6 +417,17 @@ static int tomoyo_mount_bind(const struct path *from, const struct path *to,
 	return tomoyo_mount_permission(NULL, to, NULL, flags, from);
 }
 
+/**
+ * tomoyo_mount_new - Target for security_mount_new().
+ *
+ * @fc:        Pointer to "struct fs_context".
+ * @mp:        Pointer to "struct path".
+ * @mnt_flags: Mount options.
+ * @flags:     Original mount options.
+ * @data:      Optional data. Maybe NULL.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
 static int tomoyo_mount_new(struct fs_context *fc, const struct path *mp,
 			    int mnt_flags, unsigned long flags, void *data)
 {
@@ -416,6 +436,17 @@ static int tomoyo_mount_new(struct fs_context *fc, const struct path *mp,
 				       flags, NULL);
 }
 
+/**
+ * tomoyo_mount_remount - Target for security_mount_remount().
+ *
+ * @fc:        Pointer to "struct fs_context".
+ * @mp:        Pointer to "struct path".
+ * @mnt_flags: Mount options.
+ * @flags:     Original mount options.
+ * @data:      Optional data. Maybe NULL.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
 static int tomoyo_mount_remount(struct fs_context *fc, const struct path *mp,
 				int mnt_flags, unsigned long flags, void *data)
 {
@@ -423,6 +454,15 @@ static int tomoyo_mount_remount(struct fs_context *fc, const struct path *mp,
 	return tomoyo_mount_permission(NULL, mp, NULL, flags, NULL);
 }
 
+/**
+ * tomoyo_mount_reconfigure - Target for security_mount_reconfigure().
+ *
+ * @mp:        Pointer to "struct path".
+ * @mnt_flags: Mount options.
+ * @flags:     Original mount options.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
 static int tomoyo_mount_reconfigure(const struct path *mp,
 				    unsigned int mnt_flags,
 				    unsigned long flags)
@@ -431,12 +471,28 @@ static int tomoyo_mount_reconfigure(const struct path *mp,
 	return tomoyo_mount_permission(NULL, mp, NULL, flags, NULL);
 }
 
+/**
+ * tomoyo_mount_change_type - Target for security_mount_change_type().
+ *
+ * @mp:       Pointer to "struct path".
+ * @ms_flags: Mount options.
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
 static int tomoyo_mount_change_type(const struct path *mp, int ms_flags)
 {
 	return tomoyo_mount_permission(NULL, mp, NULL, ms_flags, NULL);
 }
 
-static int tomoyo_move_mount(const struct path *from_path,
+/**
+ * tomoyo_mount_move - Target for security_mount_move().
+ *
+ * @from_path: Pointer to "struct path".
+ * @to_path:   Pointer to "struct path".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_mount_move(const struct path *from_path,
 			     const struct path *to_path)
 {
 	return tomoyo_mount_permission(NULL, to_path, NULL, MS_MOVE,
@@ -609,7 +665,7 @@ static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(mount_remount, tomoyo_mount_remount),
 	LSM_HOOK_INIT(mount_reconfigure, tomoyo_mount_reconfigure),
 	LSM_HOOK_INIT(mount_change_type, tomoyo_mount_change_type),
-	LSM_HOOK_INIT(mount_move, tomoyo_move_mount),
+	LSM_HOOK_INIT(mount_move, tomoyo_mount_move),
 	LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount),
 	LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),
 	LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind),
-- 
2.47.3

More information about the Linux-security-module-archive mailing list