On Mon, Mar 23, 2026 at 11:12 PM Tetsuo Handa <[email protected]> wrote: > > On 2026/03/24 4:31, Song Liu wrote: > >> Then, how can LSM modules know that how the requested filesystem resolves > >> the dev_name argument, without embedding filesystem specific resolution > >> logic into individual LSM module? > > > > IIUC, if an LSM cares about the dev_name of a new mount, it will have to > > look > > into each individual filesystem. We can add a LSM hook for the filesystems > > to > > call. But this will require changes to individual filesystem code. OTOH, > > dev_name can probably bridge the gap as we change filesystems. > > > > Would this work? > > I guess something like untested diff shown below would work.
I think this doesn't work with erofs on file (requires CONFIG_EROFS_FS_BACKED_BY_FILE). erofs may not be the only one that has this problem. Thanks, Song > > block/bdev.c | 26 ++++++++++++++------------ > fs/fs_context.c | 4 ++++ > fs/namespace.c | 10 ++++++---- > fs/super.c | 2 +- > include/linux/blkdev.h | 12 +++++++++++- > include/linux/fs_context.h | 1 + > security/tomoyo/mount.c | 26 ++------------------------ > security/tomoyo/tomoyo.c | 2 +- > 8 files changed, 40 insertions(+), 43 deletions(-)
