[apparmor] [PATCH 0/7] lsm: Replace security_sb_mount with granular mount hooks
Song Liu
song at kernel.org
Fri Mar 27 00:31:31 UTC 2026
Hi folks, especially SELinux, AppArmor, and LandLock maintainers,
Could you please share your comments on this set? AFAICT, there are
no functional changes (other than fixing TOCTOU) to existing LSMs.
If there are no issues with these changes, can we land the set in 7.1
kernels?
Thanks,
Song
On Wed, Mar 18, 2026 at 11:44 AM Song Liu <song at kernel.org> wrote:
[...]
> All existing LSM behaviors are preserved:
> AppArmor: same policy matching, TOCTOU fixed for bind/move
> SELinux: same permission checks (FILE__MOUNTON, FILESYSTEM__REMOUNT)
> Landlock: same deny-all for sandboxed processes
> Tomoyo: same policy matching, TOCTOU fixed for bind/move, unused
> data_page parameter removed
>
>
> This work is inspired by earlier discussions:
>
> [1] https://lore.kernel.org/bpf/20251127005011.1872209-1-song@kernel.org/
> [2] https://lore.kernel.org/linux-security-module/20250708230504.3994335-1-song@kernel.org/
>
>
> Song Liu (7):
> lsm: Add granular mount hooks to replace security_sb_mount
> apparmor: Remove redundant MS_MGC_MSK stripping in apparmor_sb_mount
> apparmor: Convert from sb_mount to granular mount hooks
> selinux: Convert from sb_mount to granular mount hooks
> landlock: Convert from sb_mount to granular mount hooks
> tomoyo: Convert from sb_mount to granular mount hooks
> lsm: Remove security_sb_mount and security_move_mount
More information about the AppArmor
mailing list