1 files changed, 696 insertions, 0 deletions
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
new file mode 100644
index 000000000000..82a64b58041d
--- /dev/null
+++ b/security/apparmor/mount.c
@@ -0,0 +1,696 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor mediation of files
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2017 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/domain.h"
+#include "include/file.h"
+#include "include/match.h"
+#include "include/mount.h"
+#include "include/path.h"
+#include "include/policy.h"
+static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
+{
+        if (flags & MS_RDONLY)
+                audit_log_format(ab, "ro");
+        else
+                audit_log_format(ab, "rw");
+        if (flags & MS_NOSUID)
+                audit_log_format(ab, ", nosuid");
+        if (flags & MS_NODEV)
+                audit_log_format(ab, ", nodev");
+        if (flags & MS_NOEXEC)
+                audit_log_format(ab, ", noexec");
+        if (flags & MS_SYNCHRONOUS)
+                audit_log_format(ab, ", sync");
+        if (flags & MS_REMOUNT)
+                audit_log_format(ab, ", remount");
+        if (flags & MS_MANDLOCK)
+                audit_log_format(ab, ", mand");
+        if (flags & MS_DIRSYNC)
+                audit_log_format(ab, ", dirsync");
+        if (flags & MS_NOATIME)
+                audit_log_format(ab, ", noatime");
+        if (flags & MS_NODIRATIME)
+                audit_log_format(ab, ", nodiratime");
+        if (flags & MS_BIND)
+                audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
+        if (flags & MS_MOVE)
+                audit_log_format(ab, ", move");
+        if (flags & MS_SILENT)
+                audit_log_format(ab, ", silent");
+        if (flags & MS_POSIXACL)
+                audit_log_format(ab, ", acl");
+        if (flags & MS_UNBINDABLE)
+                audit_log_format(ab, flags & MS_REC ? ", runbindable" :
+                                 ", unbindable");
+        if (flags & MS_PRIVATE)
+                audit_log_format(ab, flags & MS_REC ? ", rprivate" :
+                                 ", private");
+        if (flags & MS_SLAVE)
+                audit_log_format(ab, flags & MS_REC ? ", rslave" :
+                                 ", slave");
+        if (flags & MS_SHARED)
+                audit_log_format(ab, flags & MS_REC ? ", rshared" :
+                                 ", shared");
+        if (flags & MS_RELATIME)
+                audit_log_format(ab, ", relatime");
+        if (flags & MS_I_VERSION)
+                audit_log_format(ab, ", iversion");
+        if (flags & MS_STRICTATIME)
+                audit_log_format(ab, ", strictatime");
+        if (flags & MS_NOUSER)
+                audit_log_format(ab, ", nouser");
+}
+/**
+ * audit_cb - call back for mount specific audit fields
+ * @ab: audit_buffer  (NOT NULL)
+ * @va: audit struct to audit values of  (NOT NULL)
+ */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+        struct common_audit_data *sa = va;
+        if (aad(sa)->mnt.type) {
+                audit_log_format(ab, " fstype=");
+                audit_log_untrustedstring(ab, aad(sa)->mnt.type);
+        }
+        if (aad(sa)->mnt.src_name) {
+                audit_log_format(ab, " srcname=");
+                audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
+        }
+        if (aad(sa)->mnt.trans) {
+                audit_log_format(ab, " trans=");
+                audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
+        }
+        if (aad(sa)->mnt.flags) {
+                audit_log_format(ab, " flags=\"");
+                audit_mnt_flags(ab, aad(sa)->mnt.flags);
+                audit_log_format(ab, "\"");
+        }
+        if (aad(sa)->mnt.data) {
+                audit_log_format(ab, " options=");
+                audit_log_untrustedstring(ab, aad(sa)->mnt.data);
+        }
+}
+/**
+ * audit_mount - handle the auditing of mount operations
+ * @profile: the profile being enforced  (NOT NULL)
+ * @op: operation being mediated (NOT NULL)
+ * @name: name of object being mediated (MAYBE NULL)
+ * @src_name: src_name of object being mediated (MAYBE_NULL)
+ * @type: type of filesystem (MAYBE_NULL)
+ * @trans: name of trans (MAYBE NULL)
+ * @flags: filesystem idependent mount flags
+ * @data: filesystem mount flags
+ * @request: permissions requested
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @info: extra information message (MAYBE NULL)
+ * @error: 0 if operation allowed else failure error code
+ *
+ * Returns: %0 or error on failure
+ */
+static int audit_mount(struct aa_profile *profile, const char *op,
+                       const char *name, const char *src_name,
+                       const char *type, const char *trans,
+                       unsigned long flags, const void *data, u32 request,
+                       struct aa_perms *perms, const char *info, int error)
+{
+        int audit_type = AUDIT_APPARMOR_AUTO;
+        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op);
+        if (likely(!error)) {
+                u32 mask = perms->audit;
+                if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
+                        mask = 0xffff;
+                /* mask off perms that are not being force audited */
+                request &= mask;
+                if (likely(!request))
+                        return 0;
+                audit_type = AUDIT_APPARMOR_AUDIT;
+        } else {
+                /* only report permissions that were denied */
+                request = request & ~perms->allow;
+                if (request & perms->kill)
+                        audit_type = AUDIT_APPARMOR_KILL;
+                /* quiet known rejects, assumes quiet and kill do not overlap */
+                if ((request & perms->quiet) &&
+                    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+                    AUDIT_MODE(profile) != AUDIT_ALL)
+                        request &= ~perms->quiet;
+                if (!request)
+                        return error;
+        }
+        aad(&sa)->name = name;
+        aad(&sa)->mnt.src_name = src_name;
+        aad(&sa)->mnt.type = type;
+        aad(&sa)->mnt.trans = trans;
+        aad(&sa)->mnt.flags = flags;
+        if (data && (perms->audit & AA_AUDIT_DATA))
+                aad(&sa)->mnt.data = data;
+        aad(&sa)->info = info;
+        aad(&sa)->error = error;
+        return aa_audit(audit_type, profile, &sa, audit_cb);
+}
+/**
+ * match_mnt_flags - Do an ordered match on mount flags
+ * @dfa: dfa to match against
+ * @state: state to start in
+ * @flags: mount flags to match against
+ *
+ * Mount flags are encoded as an ordered match. This is done instead of
+ * checking against a simple bitmask, to allow for logical operations
+ * on the flags.
+ *
+ * Returns: next state after flags match
+ */
+static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+                                    unsigned long flags)
+{
+        unsigned int i;
+        for (i = 0; i <= 31 ; ++i) {
+                if ((1 << i) & flags)
+                        state = aa_dfa_next(dfa, state, i + 1);
+        }
+        return state;
+}
+/**
+ * compute_mnt_perms - compute mount permission associated with @state
+ * @dfa: dfa to match against (NOT NULL)
+ * @state: state match finished in
+ *
+ * Returns: mount permissions
+ */
+static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa,
+                                           unsigned int state)
+{
+        struct aa_perms perms;
+        perms.kill = 0;
+        perms.allow = dfa_user_allow(dfa, state);
+        perms.audit = dfa_user_audit(dfa, state);
+        perms.quiet = dfa_user_quiet(dfa, state);
+        perms.xindex = dfa_user_xindex(dfa, state);
+        return perms;
+}
+static const char * const mnt_info_table[] = {
+        "match succeeded",
+        "failed mntpnt match",
+        "failed srcname match",
+        "failed type match",
+        "failed flags match",
+        "failed data match"
+};
+/*
+ * Returns 0 on success else element that match failed in, this is the
+ * index into the mnt_info_table above
+ */
+static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
+                        const char *mntpnt, const char *devname,
+                        const char *type, unsigned long flags,
+                        void *data, bool binary, struct aa_perms *perms)
+{
+        unsigned int state;
+        AA_BUG(!dfa);
+        AA_BUG(!perms);
+        state = aa_dfa_match(dfa, start, mntpnt);
+        state = aa_dfa_null_transition(dfa, state);
+        if (!state)
+                return 1;
+        if (devname)
+                state = aa_dfa_match(dfa, state, devname);
+        state = aa_dfa_null_transition(dfa, state);
+        if (!state)
+                return 2;
+        if (type)
+                state = aa_dfa_match(dfa, state, type);
+        state = aa_dfa_null_transition(dfa, state);
+        if (!state)
+                return 3;
+        state = match_mnt_flags(dfa, state, flags);
+        if (!state)
+                return 4;
+        *perms = compute_mnt_perms(dfa, state);
+        if (perms->allow & AA_MAY_MOUNT)
+                return 0;
+        /* only match data if not binary and the DFA flags data is expected */
+        if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
+                state = aa_dfa_null_transition(dfa, state);
+                if (!state)
+                        return 4;
+                state = aa_dfa_match(dfa, state, data);
+                if (!state)
+                        return 5;
+                *perms = compute_mnt_perms(dfa, state);
+                if (perms->allow & AA_MAY_MOUNT)
+                        return 0;
+        }
+        /* failed at end of flags match */
+        return 4;
+}
+static int path_flags(struct aa_profile *profile, const struct path *path)
+{
+        AA_BUG(!profile);
+        AA_BUG(!path);
+        return profile->path_flags |
+                (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
+}
+/**
+ * match_mnt_path_str - handle path matching for mount
+ * @profile: the confining profile
+ * @mntpath: for the mntpnt (NOT NULL)
+ * @buffer: buffer to be used to lookup mntpath
+ * @devnme: string for the devname/src_name (MAY BE NULL OR ERRPTR)
+ * @type: string for the dev type (MAYBE NULL)
+ * @flags: mount flags to match
+ * @data: fs mount data (MAYBE NULL)
+ * @binary: whether @data is binary
+ * @devinfo: error str if (IS_ERR(@devname))
+ *
+ * Returns: 0 on success else error
+ */
+static int match_mnt_path_str(struct aa_profile *profile,
+                              const struct path *mntpath, char *buffer,
+                              const char *devname, const char *type,
+                              unsigned long flags, void *data, bool binary,
+                              const char *devinfo)
+{
+        struct aa_perms perms = { };
+        const char *mntpnt = NULL, *info = NULL;
+        int pos, error;
+        AA_BUG(!profile);
+        AA_BUG(!mntpath);
+        AA_BUG(!buffer);
+        error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
+                             &mntpnt, &info, profile->disconnected);
+        if (error)
+                goto audit;
+        if (IS_ERR(devname)) {
+                error = PTR_ERR(devname);
+                devname = NULL;
+                info = devinfo;
+                goto audit;
+        }
+        error = -EACCES;
+        pos = do_match_mnt(profile->policy.dfa,
+                           profile->policy.start[AA_CLASS_MOUNT],
+                           mntpnt, devname, type, flags, data, binary, &perms);
+        if (pos) {
+                info = mnt_info_table[pos];
+                goto audit;
+        }
+        error = 0;
+audit:
+        return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL,
+                           flags, data, AA_MAY_MOUNT, &perms, info, error);
+}
+/**
+ * match_mnt - handle path matching for mount
+ * @profile: the confining profile
+ * @mntpath: for the mntpnt (NOT NULL)
+ * @buffer: buffer to be used to lookup mntpath
+ * @devpath: path devname/src_name (MAYBE NULL)
+ * @devbuffer: buffer to be used to lookup devname/src_name
+ * @type: string for the dev type (MAYBE NULL)
+ * @flags: mount flags to match
+ * @data: fs mount data (MAYBE NULL)
+ * @binary: whether @data is binary
+ *
+ * Returns: 0 on success else error
+ */
+static int match_mnt(struct aa_profile *profile, const struct path *path,
+                     char *buffer, struct path *devpath, char *devbuffer,
+                     const char *type, unsigned long flags, void *data,
+                     bool binary)
+{
+        const char *devname = NULL, *info = NULL;
+        int error = -EACCES;
+        AA_BUG(!profile);
+        AA_BUG(devpath && !devbuffer);
+        if (devpath) {
+                error = aa_path_name(devpath, path_flags(profile, devpath),
+                                     devbuffer, &devname, &info,
+                                     profile->disconnected);
+                if (error)
+                        devname = ERR_PTR(error);
+        }
+        return match_mnt_path_str(profile, path, buffer, devname, type, flags,
+                                  data, binary, info);
+}
+int aa_remount(struct aa_label *label, const struct path *path,
+               unsigned long flags, void *data)
+{
+        struct aa_profile *profile;
+        char *buffer = NULL;
+        bool binary;
+        int error;
+        AA_BUG(!label);
+        AA_BUG(!path);
+        binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
+        get_buffers(buffer);
+        error = fn_for_each_confined(label, profile,
+                        match_mnt(profile, path, buffer, NULL, NULL, NULL,
+                                  flags, data, binary));
+        put_buffers(buffer);
+        return error;
+}
+int aa_bind_mount(struct aa_label *label, const struct path *path,
+                  const char *dev_name, unsigned long flags)
+{
+        struct aa_profile *profile;
+        char *buffer = NULL, *old_buffer = NULL;
+        struct path old_path;
+        int error;
+        AA_BUG(!label);
+        AA_BUG(!path);
+        if (!dev_name || !*dev_name)
+                return -EINVAL;
+        flags &= MS_REC | MS_BIND;
+        error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
+        if (error)
+                return error;
+        get_buffers(buffer, old_buffer);
+        error = fn_for_each_confined(label, profile,
+                        match_mnt(profile, path, buffer, &old_path, old_buffer,
+                                  NULL, flags, NULL, false));
+        put_buffers(buffer, old_buffer);
+        path_put(&old_path);
+        return error;
+}
+int aa_mount_change_type(struct aa_label *label, const struct path *path,
+                         unsigned long flags)
+{
+        struct aa_profile *profile;
+        char *buffer = NULL;
+        int error;
+        AA_BUG(!label);
+        AA_BUG(!path);
+        /* These are the flags allowed by do_change_type() */
+        flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
+                  MS_UNBINDABLE);
+        get_buffers(buffer);
+        error = fn_for_each_confined(label, profile,
+                        match_mnt(profile, path, buffer, NULL, NULL, NULL,
+                                  flags, NULL, false));
+        put_buffers(buffer);
+        return error;
+}
+int aa_move_mount(struct aa_label *label, const struct path *path,
+                  const char *orig_name)
+{
+        struct aa_profile *profile;
+        char *buffer = NULL, *old_buffer = NULL;
+        struct path old_path;
+        int error;
+        AA_BUG(!label);
+        AA_BUG(!path);
+        if (!orig_name || !*orig_name)
+                return -EINVAL;
+        error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
+        if (error)
+                return error;
+        get_buffers(buffer, old_buffer);
+        error = fn_for_each_confined(label, profile,
+                        match_mnt(profile, path, buffer, &old_path, old_buffer,
+                                  NULL, MS_MOVE, NULL, false));
+        put_buffers(buffer, old_buffer);
+        path_put(&old_path);
+        return error;
+}
+int aa_new_mount(struct aa_label *label, const char *dev_name,
+                 const struct path *path, const char *type, unsigned long flags,
+                 void *data)
+{
+        struct aa_profile *profile;
+        char *buffer = NULL, *dev_buffer = NULL;
+        bool binary = true;
+        int error;
+        int requires_dev = 0;
+        struct path tmp_path, *dev_path = NULL;
+        AA_BUG(!label);
+        AA_BUG(!path);
+        if (type) {
+                struct file_system_type *fstype;
+                fstype = get_fs_type(type);
+                if (!fstype)
+                        return -ENODEV;
+                binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
+                requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
+                put_filesystem(fstype);
+                if (requires_dev) {
+                        if (!dev_name || !*dev_name)
+                                return -ENOENT;
+                        error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
+                        if (error)
+                                return error;
+                        dev_path = &tmp_path;
+                }
+        }
+        get_buffers(buffer, dev_buffer);
+        if (dev_path) {
+                error = fn_for_each_confined(label, profile,
+                        match_mnt(profile, path, buffer, dev_path, dev_buffer,
+                                  type, flags, data, binary));
+        } else {
+                error = fn_for_each_confined(label, profile,
+                        match_mnt_path_str(profile, path, buffer, dev_name,
+                                           type, flags, data, binary, NULL));
+        }
+        put_buffers(buffer, dev_buffer);
+        if (dev_path)
+                path_put(dev_path);
+        return error;
+}
+static int profile_umount(struct aa_profile *profile, struct path *path,
+                          char *buffer)
+{
+        struct aa_perms perms = { };
+        const char *name = NULL, *info = NULL;
+        unsigned int state;
+        int error;
+        AA_BUG(!profile);
+        AA_BUG(!path);
+        error = aa_path_name(path, path_flags(profile, path), buffer, &name,
+                             &info, profile->disconnected);
+        if (error)
+                goto audit;
+        state = aa_dfa_match(profile->policy.dfa,
+                             profile->policy.start[AA_CLASS_MOUNT],
+                             name);
+        perms = compute_mnt_perms(profile->policy.dfa, state);
+        if (AA_MAY_UMOUNT & ~perms.allow)
+                error = -EACCES;
+audit:
+        return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL,
+                           AA_MAY_UMOUNT, &perms, info, error);
+}
+int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
+{
+        struct aa_profile *profile;
+        char *buffer = NULL;
+        int error;
+        struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
+        AA_BUG(!label);
+        AA_BUG(!mnt);
+        get_buffers(buffer);
+        error = fn_for_each_confined(label, profile,
+                        profile_umount(profile, &path, buffer));
+        put_buffers(buffer);
+        return error;
+}
+/* helper fn for transition on pivotroot
+ *
+ * Returns: label for transition or ERR_PTR. Does not return NULL
+ */
+static struct aa_label *build_pivotroot(struct aa_profile *profile,
+                                        const struct path *new_path,
+                                        char *new_buffer,
+                                        const struct path *old_path,
+                                        char *old_buffer)
+{
+        const char *old_name, *new_name = NULL, *info = NULL;
+        const char *trans_name = NULL;
+        struct aa_perms perms = { };
+        unsigned int state;
+        int error;
+        AA_BUG(!profile);
+        AA_BUG(!new_path);
+        AA_BUG(!old_path);
+        if (profile_unconfined(profile))
+                return aa_get_newest_label(&profile->label);
+        error = aa_path_name(old_path, path_flags(profile, old_path),
+                             old_buffer, &old_name, &info,
+                             profile->disconnected);
+        if (error)
+                goto audit;
+        error = aa_path_name(new_path, path_flags(profile, new_path),
+                             new_buffer, &new_name, &info,
+                             profile->disconnected);
+        if (error)
+                goto audit;
+        error = -EACCES;
+        state = aa_dfa_match(profile->policy.dfa,
+                             profile->policy.start[AA_CLASS_MOUNT],
+                             new_name);
+        state = aa_dfa_null_transition(profile->policy.dfa, state);
+        state = aa_dfa_match(profile->policy.dfa, state, old_name);
+        perms = compute_mnt_perms(profile->policy.dfa, state);
+        if (AA_MAY_PIVOTROOT & perms.allow)
+                error = 0;
+audit:
+        error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name,
+                            NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
+                            &perms, info, error);
+        if (error)
+                return ERR_PTR(error);
+        return aa_get_newest_label(&profile->label);
+}
+int aa_pivotroot(struct aa_label *label, const struct path *old_path,
+                 const struct path *new_path)
+{
+        struct aa_profile *profile;
+        struct aa_label *target = NULL;
+        char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
+        int error;
+        AA_BUG(!label);
+        AA_BUG(!old_path);
+        AA_BUG(!new_path);
+        get_buffers(old_buffer, new_buffer);
+        target = fn_label_build(label, profile, GFP_ATOMIC,
+                        build_pivotroot(profile, new_path, new_buffer,
+                                        old_path, old_buffer));
+        if (!target) {
+                info = "label build failed";
+                error = -ENOMEM;
+                goto fail;
+        } else if (!IS_ERR(target)) {
+                error = aa_replace_current_label(target);
+                if (error) {
+                        /* TODO: audit target */
+                        aa_put_label(target);
+                        goto out;
+                }
+        } else
+                /* already audited error */
+                error = PTR_ERR(target);
+out:
+        put_buffers(old_buffer, new_buffer);
+        return error;
+fail:
+        /* TODO: add back in auditing of new_name and old_name */
+        error = fn_for_each(label, profile,
+                        audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */,
+                                    NULL /* old_name */,
+                                    NULL, NULL,
+                                    0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
+                                    error));
+        goto out;
+}

diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c new file mode 100644 index 000000000000..82a64b58041d --- /dev/null +++ b/security/apparmor/mount.c
@@ -0,0 +1,696 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor mediation of files
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2017 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/fs.h>
	16	#include <linux/mount.h>
	17	#include <linux/namei.h>
	18
	19	#include "include/apparmor.h"
	20	#include "include/audit.h"
	21	#include "include/context.h"
	22	#include "include/domain.h"
	23	#include "include/file.h"
	24	#include "include/match.h"
	25	#include "include/mount.h"
	26	#include "include/path.h"
	27	#include "include/policy.h"
	28
	29
	30	static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
	31	{
	32	if (flags & MS_RDONLY)
	33	audit_log_format(ab, "ro");
	34	else
	35	audit_log_format(ab, "rw");
	36	if (flags & MS_NOSUID)
	37	audit_log_format(ab, ", nosuid");
	38	if (flags & MS_NODEV)
	39	audit_log_format(ab, ", nodev");
	40	if (flags & MS_NOEXEC)
	41	audit_log_format(ab, ", noexec");
	42	if (flags & MS_SYNCHRONOUS)
	43	audit_log_format(ab, ", sync");
	44	if (flags & MS_REMOUNT)
	45	audit_log_format(ab, ", remount");
	46	if (flags & MS_MANDLOCK)
	47	audit_log_format(ab, ", mand");
	48	if (flags & MS_DIRSYNC)
	49	audit_log_format(ab, ", dirsync");
	50	if (flags & MS_NOATIME)
	51	audit_log_format(ab, ", noatime");
	52	if (flags & MS_NODIRATIME)
	53	audit_log_format(ab, ", nodiratime");
	54	if (flags & MS_BIND)
	55	audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
	56	if (flags & MS_MOVE)
	57	audit_log_format(ab, ", move");
	58	if (flags & MS_SILENT)
	59	audit_log_format(ab, ", silent");
	60	if (flags & MS_POSIXACL)
	61	audit_log_format(ab, ", acl");
	62	if (flags & MS_UNBINDABLE)
	63	audit_log_format(ab, flags & MS_REC ? ", runbindable" :
	64	", unbindable");
	65	if (flags & MS_PRIVATE)
	66	audit_log_format(ab, flags & MS_REC ? ", rprivate" :
	67	", private");
	68	if (flags & MS_SLAVE)
	69	audit_log_format(ab, flags & MS_REC ? ", rslave" :
	70	", slave");
	71	if (flags & MS_SHARED)
	72	audit_log_format(ab, flags & MS_REC ? ", rshared" :
	73	", shared");
	74	if (flags & MS_RELATIME)
	75	audit_log_format(ab, ", relatime");
	76	if (flags & MS_I_VERSION)
	77	audit_log_format(ab, ", iversion");
	78	if (flags & MS_STRICTATIME)
	79	audit_log_format(ab, ", strictatime");
	80	if (flags & MS_NOUSER)
	81	audit_log_format(ab, ", nouser");
	82	}
	83
	84	/**
	85	* audit_cb - call back for mount specific audit fields
	86	* @ab: audit_buffer (NOT NULL)
	87	* @va: audit struct to audit values of (NOT NULL)
	88	*/
	89	static void audit_cb(struct audit_buffer ab, void va)
	90	{
	91	struct common_audit_data *sa = va;
	92
	93	if (aad(sa)->mnt.type) {
	94	audit_log_format(ab, " fstype=");
	95	audit_log_untrustedstring(ab, aad(sa)->mnt.type);
	96	}
	97	if (aad(sa)->mnt.src_name) {
	98	audit_log_format(ab, " srcname=");
	99	audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
	100	}
	101	if (aad(sa)->mnt.trans) {
	102	audit_log_format(ab, " trans=");
	103	audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
	104	}
	105	if (aad(sa)->mnt.flags) {
	106	audit_log_format(ab, " flags=\"");
	107	audit_mnt_flags(ab, aad(sa)->mnt.flags);
	108	audit_log_format(ab, "\"");
	109	}
	110	if (aad(sa)->mnt.data) {
	111	audit_log_format(ab, " options=");
	112	audit_log_untrustedstring(ab, aad(sa)->mnt.data);
	113	}
	114	}
	115
	116	/**
	117	* audit_mount - handle the auditing of mount operations
	118	* @profile: the profile being enforced (NOT NULL)
	119	* @op: operation being mediated (NOT NULL)
	120	* @name: name of object being mediated (MAYBE NULL)
	121	* @src_name: src_name of object being mediated (MAYBE_NULL)
	122	* @type: type of filesystem (MAYBE_NULL)
	123	* @trans: name of trans (MAYBE NULL)
	124	* @flags: filesystem idependent mount flags
	125	* @data: filesystem mount flags
	126	* @request: permissions requested
	127	* @perms: the permissions computed for the request (NOT NULL)
	128	* @info: extra information message (MAYBE NULL)
	129	* @error: 0 if operation allowed else failure error code
	130	*
	131	* Returns: %0 or error on failure
	132	*/
	133	static int audit_mount(struct aa_profile profile, const char op,
	134	const char name, const char src_name,
	135	const char type, const char trans,
	136	unsigned long flags, const void *data, u32 request,
	137	struct aa_perms perms, const char info, int error)
	138	{
	139	int audit_type = AUDIT_APPARMOR_AUTO;
	140	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op);
	141
	142	if (likely(!error)) {
	143	u32 mask = perms->audit;
	144
	145	if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
	146	mask = 0xffff;
	147
	148	/* mask off perms that are not being force audited */
	149	request &= mask;
	150
	151	if (likely(!request))
	152	return 0;
	153	audit_type = AUDIT_APPARMOR_AUDIT;
	154	} else {
	155	/* only report permissions that were denied */
	156	request = request & ~perms->allow;
	157
	158	if (request & perms->kill)
	159	audit_type = AUDIT_APPARMOR_KILL;
	160
	161	/* quiet known rejects, assumes quiet and kill do not overlap */
	162	if ((request & perms->quiet) &&
	163	AUDIT_MODE(profile) != AUDIT_NOQUIET &&
	164	AUDIT_MODE(profile) != AUDIT_ALL)
	165	request &= ~perms->quiet;
	166
	167	if (!request)
	168	return error;
	169	}
	170
	171	aad(&sa)->name = name;
	172	aad(&sa)->mnt.src_name = src_name;
	173	aad(&sa)->mnt.type = type;
	174	aad(&sa)->mnt.trans = trans;
	175	aad(&sa)->mnt.flags = flags;
	176	if (data && (perms->audit & AA_AUDIT_DATA))
	177	aad(&sa)->mnt.data = data;
	178	aad(&sa)->info = info;
	179	aad(&sa)->error = error;
	180
	181	return aa_audit(audit_type, profile, &sa, audit_cb);
	182	}
	183
	184	/**
	185	* match_mnt_flags - Do an ordered match on mount flags
	186	* @dfa: dfa to match against
	187	* @state: state to start in
	188	* @flags: mount flags to match against
	189	*
	190	* Mount flags are encoded as an ordered match. This is done instead of
	191	* checking against a simple bitmask, to allow for logical operations
	192	* on the flags.
	193	*
	194	* Returns: next state after flags match
	195	*/
	196	static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
	197	unsigned long flags)
	198	{
	199	unsigned int i;
	200
	201	for (i = 0; i <= 31 ; ++i) {
	202	if ((1 << i) & flags)
	203	state = aa_dfa_next(dfa, state, i + 1);
	204	}
	205
	206	return state;
	207	}
	208
	209	/**
	210	* compute_mnt_perms - compute mount permission associated with @state
	211	* @dfa: dfa to match against (NOT NULL)
	212	* @state: state match finished in
	213	*
	214	* Returns: mount permissions
	215	*/
	216	static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa,
	217	unsigned int state)
	218	{
	219	struct aa_perms perms;
	220
	221	perms.kill = 0;
	222	perms.allow = dfa_user_allow(dfa, state);
	223	perms.audit = dfa_user_audit(dfa, state);
	224	perms.quiet = dfa_user_quiet(dfa, state);
	225	perms.xindex = dfa_user_xindex(dfa, state);
	226
	227	return perms;
	228	}
	229
	230	static const char * const mnt_info_table[] = {
	231	"match succeeded",
	232	"failed mntpnt match",
	233	"failed srcname match",
	234	"failed type match",
	235	"failed flags match",
	236	"failed data match"
	237	};
	238
	239	/*
	240	* Returns 0 on success else element that match failed in, this is the
	241	* index into the mnt_info_table above
	242	*/
	243	static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
	244	const char mntpnt, const char devname,
	245	const char *type, unsigned long flags,
	246	void data, bool binary, struct aa_perms perms)
	247	{
	248	unsigned int state;
	249
	250	AA_BUG(!dfa);
	251	AA_BUG(!perms);
	252
	253	state = aa_dfa_match(dfa, start, mntpnt);
	254	state = aa_dfa_null_transition(dfa, state);
	255	if (!state)
	256	return 1;
	257
	258	if (devname)
	259	state = aa_dfa_match(dfa, state, devname);
	260	state = aa_dfa_null_transition(dfa, state);
	261	if (!state)
	262	return 2;
	263
	264	if (type)
	265	state = aa_dfa_match(dfa, state, type);
	266	state = aa_dfa_null_transition(dfa, state);
	267	if (!state)
	268	return 3;
	269
	270	state = match_mnt_flags(dfa, state, flags);
	271	if (!state)
	272	return 4;
	273	*perms = compute_mnt_perms(dfa, state);
	274	if (perms->allow & AA_MAY_MOUNT)
	275	return 0;
	276
	277	/* only match data if not binary and the DFA flags data is expected */
	278	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
	279	state = aa_dfa_null_transition(dfa, state);
	280	if (!state)
	281	return 4;
	282
	283	state = aa_dfa_match(dfa, state, data);
	284	if (!state)
	285	return 5;
	286	*perms = compute_mnt_perms(dfa, state);
	287	if (perms->allow & AA_MAY_MOUNT)
	288	return 0;
	289	}
	290
	291	/* failed at end of flags match */
	292	return 4;
	293	}
	294
	295
	296	static int path_flags(struct aa_profile profile, const struct path path)
	297	{
	298	AA_BUG(!profile);
	299	AA_BUG(!path);
	300
	301	return profile->path_flags \|
	302	(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
	303	}
	304
	305	/**
	306	* match_mnt_path_str - handle path matching for mount
	307	* @profile: the confining profile
	308	* @mntpath: for the mntpnt (NOT NULL)
	309	* @buffer: buffer to be used to lookup mntpath
	310	* @devnme: string for the devname/src_name (MAY BE NULL OR ERRPTR)
	311	* @type: string for the dev type (MAYBE NULL)
	312	* @flags: mount flags to match
	313	* @data: fs mount data (MAYBE NULL)
	314	* @binary: whether @data is binary
	315	* @devinfo: error str if (IS_ERR(@devname))
	316	*
	317	* Returns: 0 on success else error
	318	*/
	319	static int match_mnt_path_str(struct aa_profile *profile,
	320	const struct path mntpath, char buffer,
	321	const char devname, const char type,
	322	unsigned long flags, void *data, bool binary,
	323	const char *devinfo)
	324	{
	325	struct aa_perms perms = { };
	326	const char mntpnt = NULL, info = NULL;
	327	int pos, error;
	328
	329	AA_BUG(!profile);
	330	AA_BUG(!mntpath);
	331	AA_BUG(!buffer);
	332
	333	error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
	334	&mntpnt, &info, profile->disconnected);
	335	if (error)
	336	goto audit;
	337	if (IS_ERR(devname)) {
	338	error = PTR_ERR(devname);
	339	devname = NULL;
	340	info = devinfo;
	341	goto audit;
	342	}
	343
	344	error = -EACCES;
	345	pos = do_match_mnt(profile->policy.dfa,
	346	profile->policy.start[AA_CLASS_MOUNT],
	347	mntpnt, devname, type, flags, data, binary, &perms);
	348	if (pos) {
	349	info = mnt_info_table[pos];
	350	goto audit;
	351	}
	352	error = 0;
	353
	354	audit:
	355	return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL,
	356	flags, data, AA_MAY_MOUNT, &perms, info, error);
	357	}
	358
	359	/**
	360	* match_mnt - handle path matching for mount
	361	* @profile: the confining profile
	362	* @mntpath: for the mntpnt (NOT NULL)
	363	* @buffer: buffer to be used to lookup mntpath
	364	* @devpath: path devname/src_name (MAYBE NULL)
	365	* @devbuffer: buffer to be used to lookup devname/src_name
	366	* @type: string for the dev type (MAYBE NULL)
	367	* @flags: mount flags to match
	368	* @data: fs mount data (MAYBE NULL)
	369	* @binary: whether @data is binary
	370	*
	371	* Returns: 0 on success else error
	372	*/
	373	static int match_mnt(struct aa_profile profile, const struct path path,
	374	char buffer, struct path devpath, char *devbuffer,
	375	const char type, unsigned long flags, void data,
	376	bool binary)
	377	{
	378	const char devname = NULL, info = NULL;
	379	int error = -EACCES;
	380
	381	AA_BUG(!profile);
	382	AA_BUG(devpath && !devbuffer);
	383
	384	if (devpath) {
	385	error = aa_path_name(devpath, path_flags(profile, devpath),
	386	devbuffer, &devname, &info,
	387	profile->disconnected);
	388	if (error)
	389	devname = ERR_PTR(error);
	390	}
	391
	392	return match_mnt_path_str(profile, path, buffer, devname, type, flags,
	393	data, binary, info);
	394	}
	395
	396	int aa_remount(struct aa_label label, const struct path path,
	397	unsigned long flags, void *data)
	398	{
	399	struct aa_profile *profile;
	400	char *buffer = NULL;
	401	bool binary;
	402	int error;
	403
	404	AA_BUG(!label);
	405	AA_BUG(!path);
	406
	407	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
	408
	409	get_buffers(buffer);
	410	error = fn_for_each_confined(label, profile,
	411	match_mnt(profile, path, buffer, NULL, NULL, NULL,
	412	flags, data, binary));
	413	put_buffers(buffer);
	414
	415	return error;
	416	}
	417
	418	int aa_bind_mount(struct aa_label label, const struct path path,
	419	const char *dev_name, unsigned long flags)
	420	{
	421	struct aa_profile *profile;
	422	char buffer = NULL, old_buffer = NULL;
	423	struct path old_path;
	424	int error;
	425
	426	AA_BUG(!label);
	427	AA_BUG(!path);
	428
	429	if (!dev_name \|\| !*dev_name)
	430	return -EINVAL;
	431
	432	flags &= MS_REC \| MS_BIND;
	433
	434	error = kern_path(dev_name, LOOKUP_FOLLOW\|LOOKUP_AUTOMOUNT, &old_path);
	435	if (error)
	436	return error;
	437
	438	get_buffers(buffer, old_buffer);
	439	error = fn_for_each_confined(label, profile,
	440	match_mnt(profile, path, buffer, &old_path, old_buffer,
	441	NULL, flags, NULL, false));
	442	put_buffers(buffer, old_buffer);
	443	path_put(&old_path);
	444
	445	return error;
	446	}
	447
	448	int aa_mount_change_type(struct aa_label label, const struct path path,
	449	unsigned long flags)
	450	{
	451	struct aa_profile *profile;
	452	char *buffer = NULL;
	453	int error;
	454
	455	AA_BUG(!label);
	456	AA_BUG(!path);
	457
	458	/* These are the flags allowed by do_change_type() */
	459	flags &= (MS_REC \| MS_SILENT \| MS_SHARED \| MS_PRIVATE \| MS_SLAVE \|
	460	MS_UNBINDABLE);
	461
	462	get_buffers(buffer);
	463	error = fn_for_each_confined(label, profile,
	464	match_mnt(profile, path, buffer, NULL, NULL, NULL,
	465	flags, NULL, false));
	466	put_buffers(buffer);
	467
	468	return error;
	469	}
	470
	471	int aa_move_mount(struct aa_label label, const struct path path,
	472	const char *orig_name)
	473	{
	474	struct aa_profile *profile;
	475	char buffer = NULL, old_buffer = NULL;
	476	struct path old_path;
	477	int error;
	478
	479	AA_BUG(!label);
	480	AA_BUG(!path);
	481
	482	if (!orig_name \|\| !*orig_name)
	483	return -EINVAL;
	484
	485	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
	486	if (error)
	487	return error;
	488
	489	get_buffers(buffer, old_buffer);
	490	error = fn_for_each_confined(label, profile,
	491	match_mnt(profile, path, buffer, &old_path, old_buffer,
	492	NULL, MS_MOVE, NULL, false));
	493	put_buffers(buffer, old_buffer);
	494	path_put(&old_path);
	495
	496	return error;
	497	}
	498
	499	int aa_new_mount(struct aa_label label, const char dev_name,
	500	const struct path path, const char type, unsigned long flags,
	501	void *data)
	502	{
	503	struct aa_profile *profile;
	504	char buffer = NULL, dev_buffer = NULL;
	505	bool binary = true;
	506	int error;
	507	int requires_dev = 0;
	508	struct path tmp_path, *dev_path = NULL;
	509
	510	AA_BUG(!label);
	511	AA_BUG(!path);
	512
	513	if (type) {
	514	struct file_system_type *fstype;
	515
	516	fstype = get_fs_type(type);
	517	if (!fstype)
	518	return -ENODEV;
	519	binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
	520	requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
	521	put_filesystem(fstype);
	522
	523	if (requires_dev) {
	524	if (!dev_name \|\| !*dev_name)
	525	return -ENOENT;
	526
	527	error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
	528	if (error)
	529	return error;
	530	dev_path = &tmp_path;
	531	}
	532	}
	533
	534	get_buffers(buffer, dev_buffer);
	535	if (dev_path) {
	536	error = fn_for_each_confined(label, profile,
	537	match_mnt(profile, path, buffer, dev_path, dev_buffer,
	538	type, flags, data, binary));
	539	} else {
	540	error = fn_for_each_confined(label, profile,
	541	match_mnt_path_str(profile, path, buffer, dev_name,
	542	type, flags, data, binary, NULL));
	543	}
	544	put_buffers(buffer, dev_buffer);
	545	if (dev_path)
	546	path_put(dev_path);
	547
	548	return error;
	549	}
	550
	551	static int profile_umount(struct aa_profile profile, struct path path,
	552	char *buffer)
	553	{
	554	struct aa_perms perms = { };
	555	const char name = NULL, info = NULL;
	556	unsigned int state;
	557	int error;
	558
	559	AA_BUG(!profile);
	560	AA_BUG(!path);
	561
	562	error = aa_path_name(path, path_flags(profile, path), buffer, &name,
	563	&info, profile->disconnected);
	564	if (error)
	565	goto audit;
	566
	567	state = aa_dfa_match(profile->policy.dfa,
	568	profile->policy.start[AA_CLASS_MOUNT],
	569	name);
	570	perms = compute_mnt_perms(profile->policy.dfa, state);
	571	if (AA_MAY_UMOUNT & ~perms.allow)
	572	error = -EACCES;
	573
	574	audit:
	575	return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL,
	576	AA_MAY_UMOUNT, &perms, info, error);
	577	}
	578
	579	int aa_umount(struct aa_label label, struct vfsmount mnt, int flags)
	580	{
	581	struct aa_profile *profile;
	582	char *buffer = NULL;
	583	int error;
	584	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
	585
	586	AA_BUG(!label);
	587	AA_BUG(!mnt);
	588
	589	get_buffers(buffer);
	590	error = fn_for_each_confined(label, profile,
	591	profile_umount(profile, &path, buffer));
	592	put_buffers(buffer);
	593
	594	return error;
	595	}
	596
	597	/* helper fn for transition on pivotroot
	598	*
	599	* Returns: label for transition or ERR_PTR. Does not return NULL
	600	*/
	601	static struct aa_label build_pivotroot(struct aa_profile profile,
	602	const struct path *new_path,
	603	char *new_buffer,
	604	const struct path *old_path,
	605	char *old_buffer)
	606	{
	607	const char old_name, new_name = NULL, *info = NULL;
	608	const char *trans_name = NULL;
	609	struct aa_perms perms = { };
	610	unsigned int state;
	611	int error;
	612
	613	AA_BUG(!profile);
	614	AA_BUG(!new_path);
	615	AA_BUG(!old_path);
	616
	617	if (profile_unconfined(profile))
	618	return aa_get_newest_label(&profile->label);
	619
	620	error = aa_path_name(old_path, path_flags(profile, old_path),
	621	old_buffer, &old_name, &info,
	622	profile->disconnected);
	623	if (error)
	624	goto audit;
	625	error = aa_path_name(new_path, path_flags(profile, new_path),
	626	new_buffer, &new_name, &info,
	627	profile->disconnected);
	628	if (error)
	629	goto audit;
	630
	631	error = -EACCES;
	632	state = aa_dfa_match(profile->policy.dfa,
	633	profile->policy.start[AA_CLASS_MOUNT],
	634	new_name);
	635	state = aa_dfa_null_transition(profile->policy.dfa, state);
	636	state = aa_dfa_match(profile->policy.dfa, state, old_name);
	637	perms = compute_mnt_perms(profile->policy.dfa, state);
	638
	639	if (AA_MAY_PIVOTROOT & perms.allow)
	640	error = 0;
	641
	642	audit:
	643	error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name,
	644	NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
	645	&perms, info, error);
	646	if (error)
	647	return ERR_PTR(error);
	648
	649	return aa_get_newest_label(&profile->label);
	650	}
	651
	652	int aa_pivotroot(struct aa_label label, const struct path old_path,
	653	const struct path *new_path)
	654	{
	655	struct aa_profile *profile;
	656	struct aa_label *target = NULL;
	657	char old_buffer = NULL, new_buffer = NULL, *info = NULL;
	658	int error;
	659
	660	AA_BUG(!label);
	661	AA_BUG(!old_path);
	662	AA_BUG(!new_path);
	663
	664	get_buffers(old_buffer, new_buffer);
	665	target = fn_label_build(label, profile, GFP_ATOMIC,
	666	build_pivotroot(profile, new_path, new_buffer,
	667	old_path, old_buffer));
	668	if (!target) {
	669	info = "label build failed";
	670	error = -ENOMEM;
	671	goto fail;
	672	} else if (!IS_ERR(target)) {
	673	error = aa_replace_current_label(target);
	674	if (error) {
	675	/* TODO: audit target */
	676	aa_put_label(target);
	677	goto out;
	678	}
	679	} else
	680	/* already audited error */
	681	error = PTR_ERR(target);
	682	out:
	683	put_buffers(old_buffer, new_buffer);
	684
	685	return error;
	686
	687	fail:
	688	/* TODO: add back in auditing of new_name and old_name */
	689	error = fn_for_each(label, profile,
	690	audit_mount(profile, OP_PIVOTROOT, NULL /new_name /,
	691	NULL /* old_name */,
	692	NULL, NULL,
	693	0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
	694	error));
	695	goto out;
	696	}