Skip to content

move_mount

Intro

move_mount - move a mount point to a new location

Description

This event is used for moving a mount point from one location to another in a file system. This syscall can be used to move mount points both on the same filesystem or on a different filesystem. When used on a different filesystem, the existing mount and its underlying data will be be preserved. The edge cases to be aware of when using this event are that it is not possible to move mount points across filesystems with different mount namespaces. Also, moving mount points within the same mount namespace may create conflicts, which can cause unexpected behaviour.

Arguments

  • from_dfd:int[K] - file descriptor of a directory, a relative pathname will be used.
  • from_path:const char*[K] - the directory pathname relative to from_dfd.
  • to_dfd:int[K] - file descriptor of a directory, a relative pathname will be used.
  • to_path:const char*[K] - the directory pathname relative to to_dfd.
  • flags:unsigned int[K] - flags that control the mount operation.

Available Tags

  • K - Originated from kernel-space.

Hooks

move_mount

Type

Kprobe + Kretprobe

Purpose

Used to capture the arguments of the move_mount system call

Example Use Case

move_mount can be used to move an existing mount point to a new location in order to increase the space available for a particular file system or to avoid running out of space in a given files system.

Issues

There is no way to separate a mount point and its underlying data when moving it across filesystems, meaning the mount and its underlying data will always be preserved. This could lead to unexpected behavior (i.e. data being accessed from unexpected file locations).

  • mount: used to create a new mount point.
  • pivot_root: used to change the root filesystem of a process and the rest of the system.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.