On Mon, 8 Jul 2019, Al Viro wrote: > On Mon, Jul 08, 2019 at 07:01:32PM +0100, Al Viro wrote: > > On Mon, Jul 08, 2019 at 12:12:21PM -0500, Eric W. Biederman wrote: > > > > > Al you do realize that the TOCTOU you are talking about comes the system > > > call API. TOMOYO can only be faulted for not playing in their own > > > sandbox and not reaching out and fixing the vfs implementation details. > > PS: the fact that mount(2) has been overloaded to hell and back (including > MS_MOVE, which goes back to v2.5.0.5) predates the introduction of ->sb_mount() > and LSM in general (2.5.27). MS_BIND is 2.4.0-test9pre2. > > In all the years since the introduction of ->sb_mount() I've seen zero > questions from LSM folks regarding a sane place for those checks. What I have > seen was "we want it immediately upon the syscall entry, let the module > figure out what to do" in reply to several times I tried to tell them "folks, > it's called in a bad place; you want the checks applied to objects, not to > raw string arguments". > > As it is, we have easily bypassable checks on mount(2) (by way of ->sb_mount(); > there are other hooks also in the game for remounts and new mounts). What are your recommendations for placing these checks? -- James Morris <jmorris@xxxxxxxxx>
