| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250709102410.GU1880847@ZenIV> Date: Wed, 9 Jul 2025 11:24:10 +0100 From: Al Viro <viro@...iv.linux.org.uk> To: Song Liu <song@...nel.org> Cc: bpf@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, apparmor@...ts.ubuntu.com, selinux@...r.kernel.org, tomoyo-users_en@...ts.sourceforge.net, tomoyo-users_ja@...ts.sourceforge.net, kernel-team@...a.com, andrii@...nel.org, eddyz87@...il.com, ast@...nel.org, daniel@...earbox.net, martin.lau@...ux.dev, brauner@...nel.org, jack@...e.cz, kpsingh@...nel.org, mattbobrowski@...gle.com, amir73il@...il.com, repnop@...gle.com, jlayton@...nel.org, josef@...icpanda.com, mic@...ikod.net, gnoack@...gle.com, m@...wtm.org, john.johansen@...onical.com, john@...armor.net, stephen.smalley.work@...il.com, omosnace@...hat.com, takedakn@...data.co.jp, penguin-kernel@...ove.sakura.ne.jp, enlightened@...omium.org Subject: Re: [RFC] vfs: security: Parse dev_name before calling security_sb_mount On Tue, Jul 08, 2025 at 04:05:04PM -0700, Song Liu wrote: > security_sb_mount handles multiple types of mounts: new mount, bind > mount, etc. When parameter dev_name is a path, it need to be parsed > with kern_path. > > Move the parsing of dev_name to path_mount, and pass the result to > security_sb_mount, so that: > 1. The LSMs do not need to call kern_path again; > 2. For BPF LSM, we can use struct path dev_path, which is much easier to > use than a string. > 3. We can now remove do_move_mount_old. > > Also, move may_mount check to before security_sb_mount and potential > kern_path, so that requests without proper capability will be rejected > sooner. > > Signed-off-by: Song Liu <song@...nel.org> > > --- > The primary motivation of this change is to monitor bind mount and move > mount in BPF LSM. There are a few options for this to work: > 1. Introduce bpf_kern_path kfunc. > 2. Add new hook(s), such as [1]. > 3. Something like this patch. > > At this moment, I think this patch is the best solution. > > New mount for filesystems with FS_REQUIRES_DEV also need kern_path for > dev_name. apparmor and tomoyo still call kern_path in such cases. > However, it is a bit tricky to move this kern_path call to path_mount, > so new mount path is not changed in this version. security_sb_mount() is and had always been a mind-boggling trash of an API. It makes no sense in terms of operations being requested. And any questions regarding its semantics had been consistently met with blanket "piss off, LSM gets to do whatever it wants to do, you are not to question the sanity and you are not to request any kind of rules - give us the fucking syscall arguments and let us at it". Come up with a saner API. We are done accomodating that idiocy. The only changes you get to make in fs/namespace.c are "here's our better-defined hooks, please call <this hook> when you do <that>". NAKed-by: Al Viro <viro@...iv.linux.org.uk>
Powered by blists - more mailing lists