1 files changed, 11 insertions, 1 deletions

diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index ed9b4d0f9f7e..8c558cbce930 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile,
         AA_BUG(!mntpath);
         AA_BUG(!buffer);
 
+        if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+                return 0;
+
         error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
                              &mntpnt, &info, profile->disconnected);
         if (error)
@@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path,
         AA_BUG(!profile);
         AA_BUG(devpath && !devbuffer);
 
+        if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+                return 0;
+
         if (devpath) {
                 error = aa_path_name(devpath, path_flags(profile, devpath),
                                      devbuffer, &devname, &info,
@@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path,
         AA_BUG(!profile);
         AA_BUG(!path);
 
+        if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+                return 0;
+
         error = aa_path_name(path, path_flags(profile, path), buffer, &name,
                              &info, profile->disconnected);
         if (error)
@@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
         AA_BUG(!new_path);
         AA_BUG(!old_path);
 
-        if (profile_unconfined(profile))
+        if (profile_unconfined(profile) ||
+            !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
                 return aa_get_newest_label(&profile->label);
 
         error = aa_path_name(old_path, path_flags(profile, old_path),