Hi folks, especially SELinux, AppArmor, and LandLock maintainers, Could you please share your comments on this set? AFAICT, there are no functional changes (other than fixing TOCTOU) to existing LSMs. If there are no issues with these changes, can we land the set in 7.1 kernels?
Thanks, Song On Wed, Mar 18, 2026 at 11:44 AM Song Liu <[email protected]> wrote: [...] > All existing LSM behaviors are preserved: > AppArmor: same policy matching, TOCTOU fixed for bind/move > SELinux: same permission checks (FILE__MOUNTON, FILESYSTEM__REMOUNT) > Landlock: same deny-all for sandboxed processes > Tomoyo: same policy matching, TOCTOU fixed for bind/move, unused > data_page parameter removed > > > This work is inspired by earlier discussions: > > [1] https://lore.kernel.org/bpf/[email protected]/ > [2] > https://lore.kernel.org/linux-security-module/[email protected]/ > > > Song Liu (7): > lsm: Add granular mount hooks to replace security_sb_mount > apparmor: Remove redundant MS_MGC_MSK stripping in apparmor_sb_mount > apparmor: Convert from sb_mount to granular mount hooks > selinux: Convert from sb_mount to granular mount hooks > landlock: Convert from sb_mount to granular mount hooks > tomoyo: Convert from sb_mount to granular mount hooks > lsm: Remove security_sb_mount and security_move_mount
