Skip to content

mount_setattr

Intro

mount_setattr - set per-mount attributes on a mount

Description

The system call mount_setattr() allows an application to set mount-level attributes on the specified mount. Currently, only two flags are defined: MOUNT_ATTR_NOEXEC, which will prevent mount from executing any code, and MOUNT_ATTR_NOSUID, which will prevent mount from allowing setuid and setgid execution for any files.

The dfd and path parameters specify a mount to modify using a file descriptor or file path respectively. The flags parameter is an unsigned int describing the flags to set (or reset) on the mount. Lastly, the uattr parameter is either NULL or points to a struct mount_attr which holds the mount-level attributes to set.

Arguments

  • dfd:int[K] - The mount's file descriptor.
  • path:char*[K] - The mount’s path.
  • flags:unsigned int[K] - An unsigned int describing the flags to set (or reset) on the mount.
  • uattr:struct mount_attr*[U, TOCTOU, OPT] - If this argument is not NULL, and it is pointing to a valid struct mount_attr, then it will set the mount-level attributes, otherwise it will reset the mount-level attributes.
  • usize:size_t[K, OPT] - The size of the uattr buffer.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_mount

Type

Kprobe.

Purpose

To monitor mount_setattr syscall activity.

Example Use Case

The mount_setattr system call can be used to set mount-level attributes, such as MOUNT_ATTR_NOEXEC to prevent execution of code, or MOUNT_ATTR_NOSUID to prevent setuid and setgid execution of any files located on the mount.

Issues

The uattr parameter is vulnerable to time of check/time of use (TOCTOU) race conditions since the credentials of the calling process are checked when the call is made, but not when the mount_setattr system call is executed.

The mount_isattr() system call can be used to fetch the mount-level attributes of a mount.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.