On 2020/12/08 1:32, Miklos Szeredi wrote: > A general observation is that overlayfs does not call security_path_*() > hooks on the underlying fs. I don't see this as a problem, because a > simple bind mount done inside a private mount namespace also defeats the > path based security checks. Maybe I'm missing something here, so I'm > interested in comments from AppArmor and Tomoyo developers. Regarding TOMOYO, I don't want overlayfs to call security_path_*() hooks on the underlying fs, but the reason is different. It is not because a simple bind mount done inside a private mount namespace defeats the path based security checks. TOMOYO does want to check what device/filesystem is mounted on which location. But currently TOMOYO is failing to check it due to fsopen()/fsmount()/move_mount() API.
