1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor mediation of files 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2017 Canonical Ltd. 9 */ 10 11 #include <linux/fs.h> 12 #include <linux/mount.h> 13 #include <linux/namei.h> 14 #include <uapi/linux/mount.h> 15 16 #include "include/apparmor.h" 17 #include "include/audit.h" 18 #include "include/cred.h" 19 #include "include/domain.h" 20 #include "include/file.h" 21 #include "include/match.h" 22 #include "include/mount.h" 23 #include "include/path.h" 24 #include "include/policy.h" 25 26 27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) 28 { 29 if (flags & MS_RDONLY) 30 audit_log_format(ab, "ro"); 31 else 32 audit_log_format(ab, "rw"); 33 if (flags & MS_NOSUID) 34 audit_log_format(ab, ", nosuid"); 35 if (flags & MS_NODEV) 36 audit_log_format(ab, ", nodev"); 37 if (flags & MS_NOEXEC) 38 audit_log_format(ab, ", noexec"); 39 if (flags & MS_SYNCHRONOUS) 40 audit_log_format(ab, ", sync"); 41 if (flags & MS_REMOUNT) 42 audit_log_format(ab, ", remount"); 43 if (flags & MS_MANDLOCK) 44 audit_log_format(ab, ", mand"); 45 if (flags & MS_DIRSYNC) 46 audit_log_format(ab, ", dirsync"); 47 if (flags & MS_NOATIME) 48 audit_log_format(ab, ", noatime"); 49 if (flags & MS_NODIRATIME) 50 audit_log_format(ab, ", nodiratime"); 51 if (flags & MS_BIND) 52 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); 53 if (flags & MS_MOVE) 54 audit_log_format(ab, ", move"); 55 if (flags & MS_SILENT) 56 audit_log_format(ab, ", silent"); 57 if (flags & MS_POSIXACL) 58 audit_log_format(ab, ", acl"); 59 if (flags & MS_UNBINDABLE) 60 audit_log_format(ab, flags & MS_REC ? ", runbindable" : 61 ", unbindable"); 62 if (flags & MS_PRIVATE) 63 audit_log_format(ab, flags & MS_REC ? ", rprivate" : 64 ", private"); 65 if (flags & MS_SLAVE) 66 audit_log_format(ab, flags & MS_REC ? ", rslave" : 67 ", slave"); 68 if (flags & MS_SHARED) 69 audit_log_format(ab, flags & MS_REC ? ", rshared" : 70 ", shared"); 71 if (flags & MS_RELATIME) 72 audit_log_format(ab, ", relatime"); 73 if (flags & MS_I_VERSION) 74 audit_log_format(ab, ", iversion"); 75 if (flags & MS_STRICTATIME) 76 audit_log_format(ab, ", strictatime"); 77 if (flags & MS_NOUSER) 78 audit_log_format(ab, ", nouser"); 79 } 80 81 /** 82 * audit_cb - call back for mount specific audit fields 83 * @ab: audit_buffer (NOT NULL) 84 * @va: audit struct to audit values of (NOT NULL) 85 */ 86 static void audit_cb(struct audit_buffer *ab, void *va) 87 { 88 struct common_audit_data *sa = va; 89 struct apparmor_audit_data *ad = aad(sa); 90 91 if (ad->mnt.type) { 92 audit_log_format(ab, " fstype="); 93 audit_log_untrustedstring(ab, ad->mnt.type); 94 } 95 if (ad->mnt.src_name) { 96 audit_log_format(ab, " srcname="); 97 audit_log_untrustedstring(ab, ad->mnt.src_name); 98 } 99 if (ad->mnt.trans) { 100 audit_log_format(ab, " trans="); 101 audit_log_untrustedstring(ab, ad->mnt.trans); 102 } 103 if (ad->mnt.flags) { 104 audit_log_format(ab, " flags=\""); 105 audit_mnt_flags(ab, ad->mnt.flags); 106 audit_log_format(ab, "\""); 107 } 108 if (ad->mnt.data) { 109 audit_log_format(ab, " options="); 110 audit_log_untrustedstring(ab, ad->mnt.data); 111 } 112 } 113 114 /** 115 * audit_mount - handle the auditing of mount operations 116 * @subj_cred: cred of the subject 117 * @profile: the profile being enforced (NOT NULL) 118 * @op: operation being mediated (NOT NULL) 119 * @name: name of object being mediated (MAYBE NULL) 120 * @src_name: src_name of object being mediated (MAYBE_NULL) 121 * @type: type of filesystem (MAYBE_NULL) 122 * @trans: name of trans (MAYBE NULL) 123 * @flags: filesystem independent mount flags 124 * @data: filesystem mount flags 125 * @request: permissions requested 126 * @perms: the permissions computed for the request (NOT NULL) 127 * @info: extra information message (MAYBE NULL) 128 * @error: 0 if operation allowed else failure error code 129 * 130 * Returns: %0 or error on failure 131 */ 132 static int audit_mount(const struct cred *subj_cred, 133 struct aa_profile *profile, const char *op, 134 const char *name, const char *src_name, 135 const char *type, const char *trans, 136 unsigned long flags, const void *data, u32 request, 137 struct aa_perms *perms, const char *info, int error) 138 { 139 int audit_type = AUDIT_APPARMOR_AUTO; 140 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); 141 142 if (likely(!error)) { 143 u32 mask = perms->audit; 144 145 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) 146 mask = 0xffff; 147 148 /* mask off perms that are not being force audited */ 149 request &= mask; 150 151 if (likely(!request)) 152 return 0; 153 audit_type = AUDIT_APPARMOR_AUDIT; 154 } else { 155 /* only report permissions that were denied */ 156 request = request & ~perms->allow; 157 158 if (request & perms->kill) 159 audit_type = AUDIT_APPARMOR_KILL; 160 161 /* quiet known rejects, assumes quiet and kill do not overlap */ 162 if ((request & perms->quiet) && 163 AUDIT_MODE(profile) != AUDIT_NOQUIET && 164 AUDIT_MODE(profile) != AUDIT_ALL) 165 request &= ~perms->quiet; 166 167 if (!request) 168 return error; 169 } 170 171 ad.subj_cred = subj_cred; 172 ad.name = name; 173 ad.mnt.src_name = src_name; 174 ad.mnt.type = type; 175 ad.mnt.trans = trans; 176 ad.mnt.flags = flags; 177 if (data && (perms->audit & AA_AUDIT_DATA)) 178 ad.mnt.data = data; 179 ad.info = info; 180 ad.error = error; 181 182 return aa_audit(audit_type, profile, &ad, audit_cb); 183 } 184 185 /** 186 * match_mnt_flags - Do an ordered match on mount flags 187 * @dfa: dfa to match against 188 * @state: state to start in 189 * @flags: mount flags to match against 190 * 191 * Mount flags are encoded as an ordered match. This is done instead of 192 * checking against a simple bitmask, to allow for logical operations 193 * on the flags. 194 * 195 * Returns: next state after flags match 196 */ 197 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, 198 unsigned long flags) 199 { 200 unsigned int i; 201 202 for (i = 0; i <= 31 ; ++i) { 203 if ((1 << i) & flags) 204 state = aa_dfa_next(dfa, state, i + 1); 205 } 206 207 return state; 208 } 209 210 static const char * const mnt_info_table[] = { 211 "match succeeded", 212 "failed mntpnt match", 213 "failed srcname match", 214 "failed type match", 215 "failed flags match", 216 "failed data match", 217 "failed perms check" 218 }; 219 220 /* 221 * Returns 0 on success else element that match failed in, this is the 222 * index into the mnt_info_table above 223 */ 224 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, 225 const char *mntpnt, const char *devname, 226 const char *type, unsigned long flags, 227 void *data, bool binary, struct aa_perms *perms) 228 { 229 aa_state_t state; 230 231 AA_BUG(!policy); 232 AA_BUG(!policy->dfa); 233 AA_BUG(!policy->perms); 234 AA_BUG(!perms); 235 236 state = aa_dfa_match(policy->dfa, start, mntpnt); 237 state = aa_dfa_null_transition(policy->dfa, state); 238 if (!state) 239 return 1; 240 241 if (devname) 242 state = aa_dfa_match(policy->dfa, state, devname); 243 state = aa_dfa_null_transition(policy->dfa, state); 244 if (!state) 245 return 2; 246 247 if (type) 248 state = aa_dfa_match(policy->dfa, state, type); 249 state = aa_dfa_null_transition(policy->dfa, state); 250 if (!state) 251 return 3; 252 253 state = match_mnt_flags(policy->dfa, state, flags); 254 if (!state) 255 return 4; 256 *perms = *aa_lookup_perms(policy, state); 257 if (perms->allow & AA_MAY_MOUNT) 258 return 0; 259 260 /* only match data if not binary and the DFA flags data is expected */ 261 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { 262 state = aa_dfa_null_transition(policy->dfa, state); 263 if (!state) 264 return 4; 265 266 state = aa_dfa_match(policy->dfa, state, data); 267 if (!state) 268 return 5; 269 *perms = *aa_lookup_perms(policy, state); 270 if (perms->allow & AA_MAY_MOUNT) 271 return 0; 272 } 273 274 /* failed at perms check, don't confuse with flags match */ 275 return 6; 276 } 277 278 279 static int path_flags(struct aa_profile *profile, const struct path *path) 280 { 281 AA_BUG(!profile); 282 AA_BUG(!path); 283 284 return profile->path_flags | 285 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); 286 } 287 288 /** 289 * match_mnt_path_str - handle path matching for mount 290 * @subj_cred: cred of confined subject 291 * @profile: the confining profile 292 * @mntpath: for the mntpnt (NOT NULL) 293 * @buffer: buffer to be used to lookup mntpath 294 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) 295 * @type: string for the dev type (MAYBE NULL) 296 * @flags: mount flags to match 297 * @data: fs mount data (MAYBE NULL) 298 * @binary: whether @data is binary 299 * @devinfo: error str if (IS_ERR(@devname)) 300 * 301 * Returns: 0 on success else error 302 */ 303 static int match_mnt_path_str(const struct cred *subj_cred, 304 struct aa_profile *profile, 305 const struct path *mntpath, char *buffer, 306 const char *devname, const char *type, 307 unsigned long flags, void *data, bool binary, 308 const char *devinfo) 309 { 310 struct aa_perms perms = { }; 311 const char *mntpnt = NULL, *info = NULL; 312 struct aa_ruleset *rules = list_first_entry(&profile->rules, 313 typeof(*rules), list); 314 int pos, error; 315 316 AA_BUG(!profile); 317 AA_BUG(!mntpath); 318 AA_BUG(!buffer); 319 320 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 321 return 0; 322 323 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 324 &mntpnt, &info, profile->disconnected); 325 if (error) 326 goto audit; 327 if (IS_ERR(devname)) { 328 error = PTR_ERR(devname); 329 devname = NULL; 330 info = devinfo; 331 goto audit; 332 } 333 334 error = -EACCES; 335 pos = do_match_mnt(rules->policy, 336 rules->policy->start[AA_CLASS_MOUNT], 337 mntpnt, devname, type, flags, data, binary, &perms); 338 if (pos) { 339 info = mnt_info_table[pos]; 340 goto audit; 341 } 342 error = 0; 343 344 audit: 345 return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname, 346 type, NULL, 347 flags, data, AA_MAY_MOUNT, &perms, info, error); 348 } 349 350 /** 351 * match_mnt - handle path matching for mount 352 * @subj_cred: cred of the subject 353 * @profile: the confining profile 354 * @path: for the mntpnt (NOT NULL) 355 * @buffer: buffer to be used to lookup mntpath 356 * @devpath: path devname/src_name (MAYBE NULL) 357 * @devbuffer: buffer to be used to lookup devname/src_name 358 * @type: string for the dev type (MAYBE NULL) 359 * @flags: mount flags to match 360 * @data: fs mount data (MAYBE NULL) 361 * @binary: whether @data is binary 362 * 363 * Returns: 0 on success else error 364 */ 365 static int match_mnt(const struct cred *subj_cred, 366 struct aa_profile *profile, const struct path *path, 367 char *buffer, const struct path *devpath, char *devbuffer, 368 const char *type, unsigned long flags, void *data, 369 bool binary) 370 { 371 const char *devname = NULL, *info = NULL; 372 struct aa_ruleset *rules = list_first_entry(&profile->rules, 373 typeof(*rules), list); 374 int error = -EACCES; 375 376 AA_BUG(!profile); 377 AA_BUG(devpath && !devbuffer); 378 379 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 380 return 0; 381 382 if (devpath) { 383 error = aa_path_name(devpath, path_flags(profile, devpath), 384 devbuffer, &devname, &info, 385 profile->disconnected); 386 if (error) 387 devname = ERR_PTR(error); 388 } 389 390 return match_mnt_path_str(subj_cred, profile, path, buffer, devname, 391 type, flags, data, binary, info); 392 } 393 394 int aa_remount(const struct cred *subj_cred, 395 struct aa_label *label, const struct path *path, 396 unsigned long flags, void *data) 397 { 398 struct aa_profile *profile; 399 char *buffer = NULL; 400 bool binary; 401 int error; 402 403 AA_BUG(!label); 404 AA_BUG(!path); 405 406 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; 407 408 buffer = aa_get_buffer(false); 409 if (!buffer) 410 return -ENOMEM; 411 error = fn_for_each_confined(label, profile, 412 match_mnt(subj_cred, profile, path, buffer, NULL, 413 NULL, NULL, 414 flags, data, binary)); 415 aa_put_buffer(buffer); 416 417 return error; 418 } 419 420 int aa_bind_mount(const struct cred *subj_cred, 421 struct aa_label *label, const struct path *path, 422 const char *dev_name, unsigned long flags) 423 { 424 struct aa_profile *profile; 425 char *buffer = NULL, *old_buffer = NULL; 426 struct path old_path; 427 int error; 428 429 AA_BUG(!label); 430 AA_BUG(!path); 431 432 if (!dev_name || !*dev_name) 433 return -EINVAL; 434 435 flags &= MS_REC | MS_BIND; 436 437 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); 438 if (error) 439 return error; 440 441 buffer = aa_get_buffer(false); 442 old_buffer = aa_get_buffer(false); 443 error = -ENOMEM; 444 if (!buffer || !old_buffer) 445 goto out; 446 447 error = fn_for_each_confined(label, profile, 448 match_mnt(subj_cred, profile, path, buffer, &old_path, 449 old_buffer, NULL, flags, NULL, false)); 450 out: 451 aa_put_buffer(buffer); 452 aa_put_buffer(old_buffer); 453 path_put(&old_path); 454 455 return error; 456 } 457 458 int aa_mount_change_type(const struct cred *subj_cred, 459 struct aa_label *label, const struct path *path, 460 unsigned long flags) 461 { 462 struct aa_profile *profile; 463 char *buffer = NULL; 464 int error; 465 466 AA_BUG(!label); 467 AA_BUG(!path); 468 469 /* These are the flags allowed by do_change_type() */ 470 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | 471 MS_UNBINDABLE); 472 473 buffer = aa_get_buffer(false); 474 if (!buffer) 475 return -ENOMEM; 476 error = fn_for_each_confined(label, profile, 477 match_mnt(subj_cred, profile, path, buffer, NULL, 478 NULL, NULL, 479 flags, NULL, false)); 480 aa_put_buffer(buffer); 481 482 return error; 483 } 484 485 int aa_move_mount(const struct cred *subj_cred, 486 struct aa_label *label, const struct path *from_path, 487 const struct path *to_path) 488 { 489 struct aa_profile *profile; 490 char *to_buffer = NULL, *from_buffer = NULL; 491 int error; 492 493 AA_BUG(!label); 494 AA_BUG(!from_path); 495 AA_BUG(!to_path); 496 497 to_buffer = aa_get_buffer(false); 498 from_buffer = aa_get_buffer(false); 499 error = -ENOMEM; 500 if (!to_buffer || !from_buffer) 501 goto out; 502 503 if (!our_mnt(from_path->mnt)) 504 /* moving a mount detached from the namespace */ 505 from_path = NULL; 506 error = fn_for_each_confined(label, profile, 507 match_mnt(subj_cred, profile, to_path, to_buffer, 508 from_path, from_buffer, 509 NULL, MS_MOVE, NULL, false)); 510 out: 511 aa_put_buffer(to_buffer); 512 aa_put_buffer(from_buffer); 513 514 return error; 515 } 516 517 int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, 518 const struct path *path, const char *orig_name) 519 { 520 struct path old_path; 521 int error; 522 523 if (!orig_name || !*orig_name) 524 return -EINVAL; 525 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); 526 if (error) 527 return error; 528 529 error = aa_move_mount(subj_cred, label, &old_path, path); 530 path_put(&old_path); 531 532 return error; 533 } 534 535 int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, 536 const char *dev_name, const struct path *path, 537 const char *type, unsigned long flags, void *data) 538 { 539 struct aa_profile *profile; 540 char *buffer = NULL, *dev_buffer = NULL; 541 bool binary = true; 542 int error; 543 int requires_dev = 0; 544 struct path tmp_path, *dev_path = NULL; 545 546 AA_BUG(!label); 547 AA_BUG(!path); 548 549 if (type) { 550 struct file_system_type *fstype; 551 552 fstype = get_fs_type(type); 553 if (!fstype) 554 return -ENODEV; 555 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; 556 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; 557 put_filesystem(fstype); 558 559 if (requires_dev) { 560 if (!dev_name || !*dev_name) 561 return -ENOENT; 562 563 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); 564 if (error) 565 return error; 566 dev_path = &tmp_path; 567 } 568 } 569 570 buffer = aa_get_buffer(false); 571 if (!buffer) { 572 error = -ENOMEM; 573 goto out; 574 } 575 if (dev_path) { 576 dev_buffer = aa_get_buffer(false); 577 if (!dev_buffer) { 578 error = -ENOMEM; 579 goto out; 580 } 581 error = fn_for_each_confined(label, profile, 582 match_mnt(subj_cred, profile, path, buffer, 583 dev_path, dev_buffer, 584 type, flags, data, binary)); 585 } else { 586 error = fn_for_each_confined(label, profile, 587 match_mnt_path_str(subj_cred, profile, path, 588 buffer, dev_name, 589 type, flags, data, binary, NULL)); 590 } 591 592 out: 593 aa_put_buffer(buffer); 594 aa_put_buffer(dev_buffer); 595 if (dev_path) 596 path_put(dev_path); 597 598 return error; 599 } 600 601 static int profile_umount(const struct cred *subj_cred, 602 struct aa_profile *profile, const struct path *path, 603 char *buffer) 604 { 605 struct aa_ruleset *rules = list_first_entry(&profile->rules, 606 typeof(*rules), list); 607 struct aa_perms perms = { }; 608 const char *name = NULL, *info = NULL; 609 aa_state_t state; 610 int error; 611 612 AA_BUG(!profile); 613 AA_BUG(!path); 614 615 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 616 return 0; 617 618 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 619 &info, profile->disconnected); 620 if (error) 621 goto audit; 622 623 state = aa_dfa_match(rules->policy->dfa, 624 rules->policy->start[AA_CLASS_MOUNT], 625 name); 626 perms = *aa_lookup_perms(rules->policy, state); 627 if (AA_MAY_UMOUNT & ~perms.allow) 628 error = -EACCES; 629 630 audit: 631 return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL, 632 NULL, 0, NULL, 633 AA_MAY_UMOUNT, &perms, info, error); 634 } 635 636 int aa_umount(const struct cred *subj_cred, struct aa_label *label, 637 struct vfsmount *mnt, int flags) 638 { 639 struct aa_profile *profile; 640 char *buffer = NULL; 641 int error; 642 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 643 644 AA_BUG(!label); 645 AA_BUG(!mnt); 646 647 buffer = aa_get_buffer(false); 648 if (!buffer) 649 return -ENOMEM; 650 651 error = fn_for_each_confined(label, profile, 652 profile_umount(subj_cred, profile, &path, buffer)); 653 aa_put_buffer(buffer); 654 655 return error; 656 } 657 658 /* helper fn for transition on pivotroot 659 * 660 * Returns: label for transition or ERR_PTR. Does not return NULL 661 */ 662 static struct aa_label *build_pivotroot(const struct cred *subj_cred, 663 struct aa_profile *profile, 664 const struct path *new_path, 665 char *new_buffer, 666 const struct path *old_path, 667 char *old_buffer) 668 { 669 struct aa_ruleset *rules = list_first_entry(&profile->rules, 670 typeof(*rules), list); 671 const char *old_name, *new_name = NULL, *info = NULL; 672 const char *trans_name = NULL; 673 struct aa_perms perms = { }; 674 aa_state_t state; 675 int error; 676 677 AA_BUG(!profile); 678 AA_BUG(!new_path); 679 AA_BUG(!old_path); 680 681 if (profile_unconfined(profile) || 682 !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 683 return aa_get_newest_label(&profile->label); 684 685 error = aa_path_name(old_path, path_flags(profile, old_path), 686 old_buffer, &old_name, &info, 687 profile->disconnected); 688 if (error) 689 goto audit; 690 error = aa_path_name(new_path, path_flags(profile, new_path), 691 new_buffer, &new_name, &info, 692 profile->disconnected); 693 if (error) 694 goto audit; 695 696 error = -EACCES; 697 state = aa_dfa_match(rules->policy->dfa, 698 rules->policy->start[AA_CLASS_MOUNT], 699 new_name); 700 state = aa_dfa_null_transition(rules->policy->dfa, state); 701 state = aa_dfa_match(rules->policy->dfa, state, old_name); 702 perms = *aa_lookup_perms(rules->policy, state); 703 704 if (AA_MAY_PIVOTROOT & perms.allow) 705 error = 0; 706 707 audit: 708 error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name, 709 old_name, 710 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, 711 &perms, info, error); 712 if (error) 713 return ERR_PTR(error); 714 715 return aa_get_newest_label(&profile->label); 716 } 717 718 int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label, 719 const struct path *old_path, 720 const struct path *new_path) 721 { 722 struct aa_profile *profile; 723 struct aa_label *target = NULL; 724 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; 725 int error; 726 727 AA_BUG(!label); 728 AA_BUG(!old_path); 729 AA_BUG(!new_path); 730 731 old_buffer = aa_get_buffer(false); 732 new_buffer = aa_get_buffer(false); 733 error = -ENOMEM; 734 if (!old_buffer || !new_buffer) 735 goto out; 736 target = fn_label_build(label, profile, GFP_KERNEL, 737 build_pivotroot(subj_cred, profile, new_path, 738 new_buffer, 739 old_path, old_buffer)); 740 if (!target) { 741 info = "label build failed"; 742 error = -ENOMEM; 743 goto fail; 744 } else if (!IS_ERR(target)) { 745 error = aa_replace_current_label(target); 746 if (error) { 747 /* TODO: audit target */ 748 aa_put_label(target); 749 goto out; 750 } 751 aa_put_label(target); 752 } else 753 /* already audited error */ 754 error = PTR_ERR(target); 755 out: 756 aa_put_buffer(old_buffer); 757 aa_put_buffer(new_buffer); 758 759 return error; 760 761 fail: 762 /* TODO: add back in auditing of new_name and old_name */ 763 error = fn_for_each(label, profile, 764 audit_mount(subj_cred, profile, OP_PIVOTROOT, 765 NULL /*new_name */, 766 NULL /* old_name */, 767 NULL, NULL, 768 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, 769 error)); 770 goto out; 771 } 772