mount¶

Intro¶

mount - Call the mount() system call to mount a filesystem

Description¶

The mount() system call serves to attach the filesystem specified by source (which is often a device name, but can also be a directory name or other), to the directory specified by the argument target. The filesystemtype argument specifies the filesystem type. Mount flags that control the behavior of the mount command are specified by mountflags, and data about the mount is determined by data.

The mount() system call is used by system administrators and users to control the mounting of filesystems. It allows users to modify the filesystem tree without needing root privileges, for example, to mount a CDROM. It can be used to mount filesystems from one machine to another (e.g., remote NFS shares), in addition to filesystems on the local system.

When mounting a filesystem, all the data contained within is accessible. It is important, therefore, to use the appropriate mount flags to ensure that the right levels of security and access are applied to a filesystem.

Arguments¶

source:const char*[K] - The pathname or device-name of the filesystem that is to be mounted.
target:const char*[K] - The directory where the filesystem is to be mounted.
filesystemtype:const char*[K] - The name of the filesystem type, such as "ext4", "btrfs" etc.
mountflags:unsigned long[K] - The mount flags to control the behavior of the mount command.
data:const void*[K] - Data about the mount, such as the desired mount options and device type.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

do_mount()¶

Type¶

Kprobes

Purpose¶

Hooking into the do_mount() function gives us deeper insight into the mount() system call, allowing us to track and inspect the lower-level kernel-space operations that take place during mount.

do_add_mount()¶

Type¶

Kprobes

Purpose¶

Hooking into the do_add_mount() function allows us to monitor the data added to the VFS mount table as a result of the mount() system call.

Example Use Case¶

Mounting a disk partition or remote file system on a running system requires the mount() system call. It can also be used to mount a disk partition or a remote file system while the system is booting. This can be setup in the fstab or manually in the init scripts that run at boot.

Issues¶

The mount() system call is vulnerable to a time-of-check-time-of-use race condition, which can lead to security vulnerabilities.

umount() - syscall to unmount a filesystem
fsconfig() - syscall for querying and configuring a filesystem
chroot() - syscall for changing the root directory of the current process

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.

mount¶

Intro¶

Description¶

Arguments¶

Available Tags¶

Hooks¶

do_mount()¶

Type¶

Purpose¶

do_add_mount()¶

Type¶

Purpose¶

Example Use Case¶

Issues¶

Related Events¶