Hello, David Howells. I realized via https://lwn.net/Articles/792622/ that a new set of system calls for filesystem mounting has been added to Linux 5.2. But I feel that LSM modules are not ready to support these system calls. An example is move_mount() added by this patch. This patch added security_move_mount() LSM hook but none of in-tree LSM modules are providing "LSM_HOOK_INIT(move_mount, ...)" entry. Therefore, currently security_move_mount() is a no-op. At least for TOMOYO, I want to check mount manipulations caused by system calls because allowing mounts on arbitrary location is not acceptable for pathname based access control. What happened? I want TOMOYO to perform similar checks like mount() does. On 2019/02/20 2:08, David Howells wrote: > Add a move_mount() system call that will move a mount from one place to > another and, in the next commit, allow to attach an unattached mount tree. > > The new system call looks like the following: > > int move_mount(int from_dfd, const char *from_path, > int to_dfd, const char *to_path, > unsigned int flags); > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > cc: linux-api@xxxxxxxxxxxxxxx > Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
