1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor mediation of files
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2017 Canonical Ltd.
9 */
10
11 #include <linux/fs.h>
12 #include <linux/mount.h>
13 #include <linux/namei.h>
14 #include <uapi/linux/mount.h>
15
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/cred.h"
19 #include "include/domain.h"
20 #include "include/file.h"
21 #include "include/match.h"
22 #include "include/mount.h"
23 #include "include/path.h"
24 #include "include/policy.h"
25
26
audit_mnt_flags(struct audit_buffer * ab,unsigned long flags)27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
28 {
29 if (flags & MS_RDONLY)
30 audit_log_format(ab, "ro");
31 else
32 audit_log_format(ab, "rw");
33 if (flags & MS_NOSUID)
34 audit_log_format(ab, ", nosuid");
35 if (flags & MS_NODEV)
36 audit_log_format(ab, ", nodev");
37 if (flags & MS_NOEXEC)
38 audit_log_format(ab, ", noexec");
39 if (flags & MS_SYNCHRONOUS)
40 audit_log_format(ab, ", sync");
41 if (flags & MS_REMOUNT)
42 audit_log_format(ab, ", remount");
43 if (flags & MS_MANDLOCK)
44 audit_log_format(ab, ", mand");
45 if (flags & MS_DIRSYNC)
46 audit_log_format(ab, ", dirsync");
47 if (flags & MS_NOSYMFOLLOW)
48 audit_log_format(ab, ", nosymfollow");
49 if (flags & MS_NOATIME)
50 audit_log_format(ab, ", noatime");
51 if (flags & MS_NODIRATIME)
52 audit_log_format(ab, ", nodiratime");
53 if (flags & MS_BIND)
54 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
55 if (flags & MS_MOVE)
56 audit_log_format(ab, ", move");
57 if (flags & MS_SILENT)
58 audit_log_format(ab, ", silent");
59 if (flags & MS_POSIXACL)
60 audit_log_format(ab, ", acl");
61 if (flags & MS_UNBINDABLE)
62 audit_log_format(ab, flags & MS_REC ? ", runbindable" :
63 ", unbindable");
64 if (flags & MS_PRIVATE)
65 audit_log_format(ab, flags & MS_REC ? ", rprivate" :
66 ", private");
67 if (flags & MS_SLAVE)
68 audit_log_format(ab, flags & MS_REC ? ", rslave" :
69 ", slave");
70 if (flags & MS_SHARED)
71 audit_log_format(ab, flags & MS_REC ? ", rshared" :
72 ", shared");
73 if (flags & MS_RELATIME)
74 audit_log_format(ab, ", relatime");
75 if (flags & MS_I_VERSION)
76 audit_log_format(ab, ", iversion");
77 if (flags & MS_STRICTATIME)
78 audit_log_format(ab, ", strictatime");
79 if (flags & MS_NOUSER)
80 audit_log_format(ab, ", nouser");
81 }
82
83 /**
84 * audit_cb - call back for mount specific audit fields
85 * @ab: audit_buffer (NOT NULL)
86 * @va: audit struct to audit values of (NOT NULL)
87 */
audit_cb(struct audit_buffer * ab,void * va)88 static void audit_cb(struct audit_buffer *ab, void *va)
89 {
90 struct common_audit_data *sa = va;
91 struct apparmor_audit_data *ad = aad(sa);
92
93 if (ad->mnt.type) {
94 audit_log_format(ab, " fstype=");
95 audit_log_untrustedstring(ab, ad->mnt.type);
96 }
97 if (ad->mnt.src_name) {
98 audit_log_format(ab, " srcname=");
99 audit_log_untrustedstring(ab, ad->mnt.src_name);
100 }
101 if (ad->mnt.trans) {
102 audit_log_format(ab, " trans=");
103 audit_log_untrustedstring(ab, ad->mnt.trans);
104 }
105 if (ad->mnt.flags) {
106 audit_log_format(ab, " flags=\"");
107 audit_mnt_flags(ab, ad->mnt.flags);
108 audit_log_format(ab, "\"");
109 }
110 if (ad->mnt.data) {
111 audit_log_format(ab, " options=");
112 audit_log_untrustedstring(ab, ad->mnt.data);
113 }
114 }
115
116 /**
117 * audit_mount - handle the auditing of mount operations
118 * @subj_cred: cred of the subject
119 * @profile: the profile being enforced (NOT NULL)
120 * @op: operation being mediated (NOT NULL)
121 * @name: name of object being mediated (MAYBE NULL)
122 * @src_name: src_name of object being mediated (MAYBE_NULL)
123 * @type: type of filesystem (MAYBE_NULL)
124 * @trans: name of trans (MAYBE NULL)
125 * @flags: filesystem independent mount flags
126 * @data: filesystem mount flags
127 * @request: permissions requested
128 * @perms: the permissions computed for the request (NOT NULL)
129 * @info: extra information message (MAYBE NULL)
130 * @error: 0 if operation allowed else failure error code
131 *
132 * Returns: %0 or error on failure
133 */
audit_mount(const struct cred * subj_cred,struct aa_profile * profile,const char * op,const char * name,const char * src_name,const char * type,const char * trans,unsigned long flags,const void * data,u32 request,struct aa_perms * perms,const char * info,int error)134 static int audit_mount(const struct cred *subj_cred,
135 struct aa_profile *profile, const char *op,
136 const char *name, const char *src_name,
137 const char *type, const char *trans,
138 unsigned long flags, const void *data, u32 request,
139 struct aa_perms *perms, const char *info, int error)
140 {
141 int audit_type = AUDIT_APPARMOR_AUTO;
142 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
143
144 if (likely(!error)) {
145 u32 mask = perms->audit;
146
147 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
148 mask = 0xffff;
149
150 /* mask off perms that are not being force audited */
151 request &= mask;
152
153 if (likely(!request))
154 return 0;
155 audit_type = AUDIT_APPARMOR_AUDIT;
156 } else {
157 /* only report permissions that were denied */
158 request = request & ~perms->allow;
159
160 if (request & perms->kill)
161 audit_type = AUDIT_APPARMOR_KILL;
162
163 /* quiet known rejects, assumes quiet and kill do not overlap */
164 if ((request & perms->quiet) &&
165 AUDIT_MODE(profile) != AUDIT_NOQUIET &&
166 AUDIT_MODE(profile) != AUDIT_ALL)
167 request &= ~perms->quiet;
168
169 if (!request)
170 return error;
171 }
172
173 ad.subj_cred = subj_cred;
174 ad.name = name;
175 ad.mnt.src_name = src_name;
176 ad.mnt.type = type;
177 ad.mnt.trans = trans;
178 ad.mnt.flags = flags;
179 if (data && (perms->audit & AA_AUDIT_DATA))
180 ad.mnt.data = data;
181 ad.info = info;
182 ad.error = error;
183
184 return aa_audit(audit_type, profile, &ad, audit_cb);
185 }
186
187 /**
188 * match_mnt_flags - Do an ordered match on mount flags
189 * @dfa: dfa to match against
190 * @state: state to start in
191 * @flags: mount flags to match against
192 *
193 * Mount flags are encoded as an ordered match. This is done instead of
194 * checking against a simple bitmask, to allow for logical operations
195 * on the flags.
196 *
197 * Returns: next state after flags match
198 */
match_mnt_flags(struct aa_dfa * dfa,aa_state_t state,unsigned long flags)199 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
200 unsigned long flags)
201 {
202 unsigned int i;
203
204 for (i = 0; i <= 31 ; ++i) {
205 if ((1 << i) & flags)
206 state = aa_dfa_next(dfa, state, i + 1);
207 }
208
209 return state;
210 }
211
212 static const char * const mnt_info_table[] = {
213 "match succeeded",
214 "failed mntpnt match",
215 "failed srcname match",
216 "failed type match",
217 "failed flags match",
218 "failed data match",
219 "failed perms check"
220 };
221
222 /*
223 * Returns 0 on success else element that match failed in, this is the
224 * index into the mnt_info_table above
225 */
do_match_mnt(struct aa_policydb * policy,aa_state_t start,const char * mntpnt,const char * devname,const char * type,unsigned long flags,void * data,bool binary,struct aa_perms * perms)226 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
227 const char *mntpnt, const char *devname,
228 const char *type, unsigned long flags,
229 void *data, bool binary, struct aa_perms *perms)
230 {
231 aa_state_t state;
232
233 AA_BUG(!policy);
234 AA_BUG(!policy->dfa);
235 AA_BUG(!policy->perms);
236 AA_BUG(!perms);
237
238 state = aa_dfa_match(policy->dfa, start, mntpnt);
239 state = aa_dfa_null_transition(policy->dfa, state);
240 if (!state)
241 return 1;
242
243 if (devname)
244 state = aa_dfa_match(policy->dfa, state, devname);
245 state = aa_dfa_null_transition(policy->dfa, state);
246 if (!state)
247 return 2;
248
249 if (type)
250 state = aa_dfa_match(policy->dfa, state, type);
251 state = aa_dfa_null_transition(policy->dfa, state);
252 if (!state)
253 return 3;
254
255 state = match_mnt_flags(policy->dfa, state, flags);
256 if (!state)
257 return 4;
258 *perms = *aa_lookup_perms(policy, state);
259 if (perms->allow & AA_MAY_MOUNT)
260 return 0;
261
262 /* only match data if not binary and the DFA flags data is expected */
263 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
264 state = aa_dfa_null_transition(policy->dfa, state);
265 if (!state)
266 return 4;
267
268 state = aa_dfa_match(policy->dfa, state, data);
269 if (!state)
270 return 5;
271 *perms = *aa_lookup_perms(policy, state);
272 if (perms->allow & AA_MAY_MOUNT)
273 return 0;
274 }
275
276 /* failed at perms check, don't confuse with flags match */
277 return 6;
278 }
279
280
path_flags(struct aa_profile * profile,const struct path * path)281 static int path_flags(struct aa_profile *profile, const struct path *path)
282 {
283 AA_BUG(!profile);
284 AA_BUG(!path);
285
286 return profile->path_flags |
287 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
288 }
289
290 /**
291 * match_mnt_path_str - handle path matching for mount
292 * @subj_cred: cred of confined subject
293 * @profile: the confining profile
294 * @mntpath: for the mntpnt (NOT NULL)
295 * @buffer: buffer to be used to lookup mntpath
296 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
297 * @type: string for the dev type (MAYBE NULL)
298 * @flags: mount flags to match
299 * @data: fs mount data (MAYBE NULL)
300 * @binary: whether @data is binary
301 * @devinfo: error str if (IS_ERR(@devname))
302 *
303 * Returns: 0 on success else error
304 */
match_mnt_path_str(const struct cred * subj_cred,struct aa_profile * profile,const struct path * mntpath,char * buffer,const char * devname,const char * type,unsigned long flags,void * data,bool binary,const char * devinfo)305 static int match_mnt_path_str(const struct cred *subj_cred,
306 struct aa_profile *profile,
307 const struct path *mntpath, char *buffer,
308 const char *devname, const char *type,
309 unsigned long flags, void *data, bool binary,
310 const char *devinfo)
311 {
312 struct aa_perms perms = { };
313 const char *mntpnt = NULL, *info = NULL;
314 struct aa_ruleset *rules = list_first_entry(&profile->rules,
315 typeof(*rules), list);
316 int pos, error;
317
318 AA_BUG(!profile);
319 AA_BUG(!mntpath);
320 AA_BUG(!buffer);
321
322 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
323 return 0;
324
325 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
326 &mntpnt, &info, profile->disconnected);
327 if (error)
328 goto audit;
329 if (IS_ERR(devname)) {
330 error = PTR_ERR(devname);
331 devname = NULL;
332 info = devinfo;
333 goto audit;
334 }
335
336 error = -EACCES;
337 pos = do_match_mnt(rules->policy,
338 rules->policy->start[AA_CLASS_MOUNT],
339 mntpnt, devname, type, flags, data, binary, &perms);
340 if (pos) {
341 info = mnt_info_table[pos];
342 goto audit;
343 }
344 error = 0;
345
346 audit:
347 return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname,
348 type, NULL,
349 flags, data, AA_MAY_MOUNT, &perms, info, error);
350 }
351
352 /**
353 * match_mnt - handle path matching for mount
354 * @subj_cred: cred of the subject
355 * @profile: the confining profile
356 * @path: for the mntpnt (NOT NULL)
357 * @buffer: buffer to be used to lookup mntpath
358 * @devpath: path devname/src_name (MAYBE NULL)
359 * @devbuffer: buffer to be used to lookup devname/src_name
360 * @type: string for the dev type (MAYBE NULL)
361 * @flags: mount flags to match
362 * @data: fs mount data (MAYBE NULL)
363 * @binary: whether @data is binary
364 *
365 * Returns: 0 on success else error
366 */
match_mnt(const struct cred * subj_cred,struct aa_profile * profile,const struct path * path,char * buffer,const struct path * devpath,char * devbuffer,const char * type,unsigned long flags,void * data,bool binary)367 static int match_mnt(const struct cred *subj_cred,
368 struct aa_profile *profile, const struct path *path,
369 char *buffer, const struct path *devpath, char *devbuffer,
370 const char *type, unsigned long flags, void *data,
371 bool binary)
372 {
373 const char *devname = NULL, *info = NULL;
374 struct aa_ruleset *rules = list_first_entry(&profile->rules,
375 typeof(*rules), list);
376 int error = -EACCES;
377
378 AA_BUG(!profile);
379 AA_BUG(devpath && !devbuffer);
380
381 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
382 return 0;
383
384 if (devpath) {
385 error = aa_path_name(devpath, path_flags(profile, devpath),
386 devbuffer, &devname, &info,
387 profile->disconnected);
388 if (error)
389 devname = ERR_PTR(error);
390 }
391
392 return match_mnt_path_str(subj_cred, profile, path, buffer, devname,
393 type, flags, data, binary, info);
394 }
395
aa_remount(const struct cred * subj_cred,struct aa_label * label,const struct path * path,unsigned long flags,void * data)396 int aa_remount(const struct cred *subj_cred,
397 struct aa_label *label, const struct path *path,
398 unsigned long flags, void *data)
399 {
400 struct aa_profile *profile;
401 char *buffer = NULL;
402 bool binary;
403 int error;
404
405 AA_BUG(!label);
406 AA_BUG(!path);
407
408 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
409
410 buffer = aa_get_buffer(false);
411 if (!buffer)
412 return -ENOMEM;
413 error = fn_for_each_confined(label, profile,
414 match_mnt(subj_cred, profile, path, buffer, NULL,
415 NULL, NULL,
416 flags, data, binary));
417 aa_put_buffer(buffer);
418
419 return error;
420 }
421
aa_bind_mount(const struct cred * subj_cred,struct aa_label * label,const struct path * path,const char * dev_name,unsigned long flags)422 int aa_bind_mount(const struct cred *subj_cred,
423 struct aa_label *label, const struct path *path,
424 const char *dev_name, unsigned long flags)
425 {
426 struct aa_profile *profile;
427 char *buffer = NULL, *old_buffer = NULL;
428 struct path old_path;
429 int error;
430
431 AA_BUG(!label);
432 AA_BUG(!path);
433
434 if (!dev_name || !*dev_name)
435 return -EINVAL;
436
437 flags &= MS_REC | MS_BIND;
438
439 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
440 if (error)
441 return error;
442
443 buffer = aa_get_buffer(false);
444 old_buffer = aa_get_buffer(false);
445 error = -ENOMEM;
446 if (!buffer || !old_buffer)
447 goto out;
448
449 error = fn_for_each_confined(label, profile,
450 match_mnt(subj_cred, profile, path, buffer, &old_path,
451 old_buffer, NULL, flags, NULL, false));
452 out:
453 aa_put_buffer(buffer);
454 aa_put_buffer(old_buffer);
455 path_put(&old_path);
456
457 return error;
458 }
459
aa_mount_change_type(const struct cred * subj_cred,struct aa_label * label,const struct path * path,unsigned long flags)460 int aa_mount_change_type(const struct cred *subj_cred,
461 struct aa_label *label, const struct path *path,
462 unsigned long flags)
463 {
464 struct aa_profile *profile;
465 char *buffer = NULL;
466 int error;
467
468 AA_BUG(!label);
469 AA_BUG(!path);
470
471 /* These are the flags allowed by do_change_type() */
472 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
473 MS_UNBINDABLE);
474
475 buffer = aa_get_buffer(false);
476 if (!buffer)
477 return -ENOMEM;
478 error = fn_for_each_confined(label, profile,
479 match_mnt(subj_cred, profile, path, buffer, NULL,
480 NULL, NULL,
481 flags, NULL, false));
482 aa_put_buffer(buffer);
483
484 return error;
485 }
486
aa_move_mount(const struct cred * subj_cred,struct aa_label * label,const struct path * from_path,const struct path * to_path)487 int aa_move_mount(const struct cred *subj_cred,
488 struct aa_label *label, const struct path *from_path,
489 const struct path *to_path)
490 {
491 struct aa_profile *profile;
492 char *to_buffer = NULL, *from_buffer = NULL;
493 int error;
494
495 AA_BUG(!label);
496 AA_BUG(!from_path);
497 AA_BUG(!to_path);
498
499 to_buffer = aa_get_buffer(false);
500 from_buffer = aa_get_buffer(false);
501 error = -ENOMEM;
502 if (!to_buffer || !from_buffer)
503 goto out;
504
505 if (!our_mnt(from_path->mnt))
506 /* moving a mount detached from the namespace */
507 from_path = NULL;
508 error = fn_for_each_confined(label, profile,
509 match_mnt(subj_cred, profile, to_path, to_buffer,
510 from_path, from_buffer,
511 NULL, MS_MOVE, NULL, false));
512 out:
513 aa_put_buffer(to_buffer);
514 aa_put_buffer(from_buffer);
515
516 return error;
517 }
518
aa_move_mount_old(const struct cred * subj_cred,struct aa_label * label,const struct path * path,const char * orig_name)519 int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label,
520 const struct path *path, const char *orig_name)
521 {
522 struct path old_path;
523 int error;
524
525 if (!orig_name || !*orig_name)
526 return -EINVAL;
527 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
528 if (error)
529 return error;
530
531 error = aa_move_mount(subj_cred, label, &old_path, path);
532 path_put(&old_path);
533
534 return error;
535 }
536
aa_new_mount(const struct cred * subj_cred,struct aa_label * label,const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)537 int aa_new_mount(const struct cred *subj_cred, struct aa_label *label,
538 const char *dev_name, const struct path *path,
539 const char *type, unsigned long flags, void *data)
540 {
541 struct aa_profile *profile;
542 char *buffer = NULL, *dev_buffer = NULL;
543 bool binary = true;
544 int error;
545 int requires_dev = 0;
546 struct path tmp_path, *dev_path = NULL;
547
548 AA_BUG(!label);
549 AA_BUG(!path);
550
551 if (type) {
552 struct file_system_type *fstype;
553
554 fstype = get_fs_type(type);
555 if (!fstype)
556 return -ENODEV;
557 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
558 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
559 put_filesystem(fstype);
560
561 if (requires_dev) {
562 if (!dev_name || !*dev_name)
563 return -ENOENT;
564
565 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
566 if (error)
567 return error;
568 dev_path = &tmp_path;
569 }
570 }
571
572 buffer = aa_get_buffer(false);
573 if (!buffer) {
574 error = -ENOMEM;
575 goto out;
576 }
577 if (dev_path) {
578 dev_buffer = aa_get_buffer(false);
579 if (!dev_buffer) {
580 error = -ENOMEM;
581 goto out;
582 }
583 error = fn_for_each_confined(label, profile,
584 match_mnt(subj_cred, profile, path, buffer,
585 dev_path, dev_buffer,
586 type, flags, data, binary));
587 } else {
588 error = fn_for_each_confined(label, profile,
589 match_mnt_path_str(subj_cred, profile, path,
590 buffer, dev_name,
591 type, flags, data, binary, NULL));
592 }
593
594 out:
595 aa_put_buffer(buffer);
596 aa_put_buffer(dev_buffer);
597 if (dev_path)
598 path_put(dev_path);
599
600 return error;
601 }
602
profile_umount(const struct cred * subj_cred,struct aa_profile * profile,const struct path * path,char * buffer)603 static int profile_umount(const struct cred *subj_cred,
604 struct aa_profile *profile, const struct path *path,
605 char *buffer)
606 {
607 struct aa_ruleset *rules = list_first_entry(&profile->rules,
608 typeof(*rules), list);
609 struct aa_perms perms = { };
610 const char *name = NULL, *info = NULL;
611 aa_state_t state;
612 int error;
613
614 AA_BUG(!profile);
615 AA_BUG(!path);
616
617 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
618 return 0;
619
620 error = aa_path_name(path, path_flags(profile, path), buffer, &name,
621 &info, profile->disconnected);
622 if (error)
623 goto audit;
624
625 state = aa_dfa_match(rules->policy->dfa,
626 rules->policy->start[AA_CLASS_MOUNT],
627 name);
628 perms = *aa_lookup_perms(rules->policy, state);
629 if (AA_MAY_UMOUNT & ~perms.allow)
630 error = -EACCES;
631
632 audit:
633 return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
634 NULL, 0, NULL,
635 AA_MAY_UMOUNT, &perms, info, error);
636 }
637
aa_umount(const struct cred * subj_cred,struct aa_label * label,struct vfsmount * mnt,int flags)638 int aa_umount(const struct cred *subj_cred, struct aa_label *label,
639 struct vfsmount *mnt, int flags)
640 {
641 struct aa_profile *profile;
642 char *buffer = NULL;
643 int error;
644 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
645
646 AA_BUG(!label);
647 AA_BUG(!mnt);
648
649 buffer = aa_get_buffer(false);
650 if (!buffer)
651 return -ENOMEM;
652
653 error = fn_for_each_confined(label, profile,
654 profile_umount(subj_cred, profile, &path, buffer));
655 aa_put_buffer(buffer);
656
657 return error;
658 }
659
660 /* helper fn for transition on pivotroot
661 *
662 * Returns: label for transition or ERR_PTR. Does not return NULL
663 */
build_pivotroot(const struct cred * subj_cred,struct aa_profile * profile,const struct path * new_path,char * new_buffer,const struct path * old_path,char * old_buffer)664 static struct aa_label *build_pivotroot(const struct cred *subj_cred,
665 struct aa_profile *profile,
666 const struct path *new_path,
667 char *new_buffer,
668 const struct path *old_path,
669 char *old_buffer)
670 {
671 struct aa_ruleset *rules = list_first_entry(&profile->rules,
672 typeof(*rules), list);
673 const char *old_name, *new_name = NULL, *info = NULL;
674 const char *trans_name = NULL;
675 struct aa_perms perms = { };
676 aa_state_t state;
677 int error;
678
679 AA_BUG(!profile);
680 AA_BUG(!new_path);
681 AA_BUG(!old_path);
682
683 if (profile_unconfined(profile) ||
684 !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
685 return aa_get_newest_label(&profile->label);
686
687 error = aa_path_name(old_path, path_flags(profile, old_path),
688 old_buffer, &old_name, &info,
689 profile->disconnected);
690 if (error)
691 goto audit;
692 error = aa_path_name(new_path, path_flags(profile, new_path),
693 new_buffer, &new_name, &info,
694 profile->disconnected);
695 if (error)
696 goto audit;
697
698 error = -EACCES;
699 state = aa_dfa_match(rules->policy->dfa,
700 rules->policy->start[AA_CLASS_MOUNT],
701 new_name);
702 state = aa_dfa_null_transition(rules->policy->dfa, state);
703 state = aa_dfa_match(rules->policy->dfa, state, old_name);
704 perms = *aa_lookup_perms(rules->policy, state);
705
706 if (AA_MAY_PIVOTROOT & perms.allow)
707 error = 0;
708
709 audit:
710 error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name,
711 old_name,
712 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
713 &perms, info, error);
714 if (error)
715 return ERR_PTR(error);
716
717 return aa_get_newest_label(&profile->label);
718 }
719
aa_pivotroot(const struct cred * subj_cred,struct aa_label * label,const struct path * old_path,const struct path * new_path)720 int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label,
721 const struct path *old_path,
722 const struct path *new_path)
723 {
724 struct aa_profile *profile;
725 struct aa_label *target = NULL;
726 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
727 int error;
728
729 AA_BUG(!label);
730 AA_BUG(!old_path);
731 AA_BUG(!new_path);
732
733 old_buffer = aa_get_buffer(false);
734 new_buffer = aa_get_buffer(false);
735 error = -ENOMEM;
736 if (!old_buffer || !new_buffer)
737 goto out;
738 target = fn_label_build(label, profile, GFP_KERNEL,
739 build_pivotroot(subj_cred, profile, new_path,
740 new_buffer,
741 old_path, old_buffer));
742 if (!target) {
743 info = "label build failed";
744 error = -ENOMEM;
745 goto fail;
746 } else if (!IS_ERR(target)) {
747 error = aa_replace_current_label(target);
748 if (error) {
749 /* TODO: audit target */
750 aa_put_label(target);
751 goto out;
752 }
753 aa_put_label(target);
754 } else
755 /* already audited error */
756 error = PTR_ERR(target);
757 out:
758 aa_put_buffer(old_buffer);
759 aa_put_buffer(new_buffer);
760
761 return error;
762
763 fail:
764 /* TODO: add back in auditing of new_name and old_name */
765 error = fn_for_each(label, profile,
766 audit_mount(subj_cred, profile, OP_PIVOTROOT,
767 NULL /*new_name */,
768 NULL /* old_name */,
769 NULL, NULL,
770 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
771 error));
772 goto out;
773 }
774