On Wed, Mar 18, 2026 at 2:44 PM Song Liu <[email protected]> wrote: > > Replace selinux_mount() with granular mount hooks, preserving the > same permission checks: > > - mount_bind, mount_new, mount_change_type: FILE__MOUNTON > - mount_remount, mount_reconfigure: FILESYSTEM__REMOUNT > - mount_move: FILE__MOUNTON (reuses selinux_move_mount) > > The flags and data parameters are unused by SELinux. > > Code generated with the assistance of Claude, reviewed by human. > > Signed-off-by: Song Liu <[email protected]>
Not expecting you to do this, but after this lands, I think it would make sense to revisit the SELinux checks and further specialize them while providing backward compatibility. Reviewed-by: Stephen Smalley <[email protected]> Tested-by: Stephen Smalley <[email protected] > --- > security/selinux/hooks.c | 47 ++++++++++++++++++++++++++++++---------- > 1 file changed, 35 insertions(+), 12 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index d8224ea113d1..415b5541ab9e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2778,19 +2778,37 @@ static int selinux_sb_statfs(struct dentry *dentry) > return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, > &ad); > } > > -static int selinux_mount(const char *dev_name, > - const struct path *path, > - const char *type, > - unsigned long flags, > - void *data) > +static int selinux_mount_bind(const struct path *from, const struct path *to, > + bool recurse) > { > - const struct cred *cred = current_cred(); > + return path_has_perm(current_cred(), to, FILE__MOUNTON); > +} > > - if (flags & MS_REMOUNT) > - return superblock_has_perm(cred, path->dentry->d_sb, > - FILESYSTEM__REMOUNT, NULL); > - else > - return path_has_perm(cred, path, FILE__MOUNTON); > +static int selinux_mount_new(struct fs_context *fc, const struct path *mp, > + int mnt_flags, unsigned long flags, void *data) > +{ > + return path_has_perm(current_cred(), mp, FILE__MOUNTON); > +} > + > +static int selinux_mount_remount(struct fs_context *fc, const struct path > *mp, > + int mnt_flags, unsigned long flags, > + void *data) > +{ > + return superblock_has_perm(current_cred(), fc->root->d_sb, > + FILESYSTEM__REMOUNT, NULL); > +} > + > +static int selinux_mount_reconfigure(const struct path *mp, > + unsigned int mnt_flags, > + unsigned long flags) > +{ > + return superblock_has_perm(current_cred(), mp->dentry->d_sb, > + FILESYSTEM__REMOUNT, NULL); > +} > + > +static int selinux_mount_change_type(const struct path *mp, int ms_flags) > +{ > + return path_has_perm(current_cred(), mp, FILE__MOUNTON); > } > > static int selinux_move_mount(const struct path *from_path, > @@ -7449,7 +7467,12 @@ static struct security_hook_list selinux_hooks[] > __ro_after_init = { > LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), > LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), > LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), > - LSM_HOOK_INIT(sb_mount, selinux_mount), > + LSM_HOOK_INIT(mount_bind, selinux_mount_bind), > + LSM_HOOK_INIT(mount_new, selinux_mount_new), > + LSM_HOOK_INIT(mount_remount, selinux_mount_remount), > + LSM_HOOK_INIT(mount_reconfigure, selinux_mount_reconfigure), > + LSM_HOOK_INIT(mount_change_type, selinux_mount_change_type), > + LSM_HOOK_INIT(mount_move, selinux_move_mount), > LSM_HOOK_INIT(sb_umount, selinux_umount), > LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), > LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), > -- > 2.52.0 >
