update
ClosedPublic
Actions

Authored by kevans on Mar 1 2026, 5:34 AM.

Details

Reviewers

olce
kib

Commits

rG0faa88f26c23: kern: vfs: add MAC checks for mount/unmount/update

Summary

The unmount check is straightforward and only really needs the
struct mount.

The mount check offers as much information as I think might be of
interest to a MAC policy: the vnode to be mounted on, vfsconf, and
applicable mount options. XNU also has a later version that just takes
a struct mount for everything that VFS_MOUNT() has to offer, but my
draft policy doesn't need any of that. It also doesn't really need the
unmount check, but it seems reasonable to add it while I'm here.

The update check similarly passes the flags/options for the operation,
along with the struct mount and label.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kevans created this revision.Mar 1 2026, 5:34 AM

Herald added a subscriber: imp. · View Herald TranscriptMar 1 2026, 5:34 AM

kevans requested review of this revision.Mar 1 2026, 5:34 AM

Harbormaster completed remote builds in B71108: Diff 172958.Mar 1 2026, 5:34 AM

My draft policy that uses 2/3 is here: https://git.kevans.dev/kevans/mac_capsule/src/branch/main/mac_capsule.c -- my capsule implementation tries to prevent its parent from gaining visibility or operating in an active capsule's fs. This is somewhat effective because the capsule also can't be removed, so tampering with its fs means you'll need to catch it in the window between system startup and capsule startup, however narrow or wide that may be, or have physical access.

Edit: upon reflection, I guess I need to do something to prevent unmount, too, since that doesn't require the caller to be able to lookup the mountpoint. Admittedly, I'm not yet sure how best to implement that in my policy unless I force capsule roots to be mountpoints (then traverse upward along mp->mnt_vnodecovered and stop if I hit a capsule mount)