1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor mediation of files 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2017 Canonical Ltd. 9 */ 10 11 #include <linux/fs.h> 12 #include <linux/mount.h> 13 #include <linux/namei.h> 14 #include <uapi/linux/mount.h> 15 16 #include "include/apparmor.h" 17 #include "include/audit.h" 18 #include "include/cred.h" 19 #include "include/domain.h" 20 #include "include/file.h" 21 #include "include/match.h" 22 #include "include/mount.h" 23 #include "include/path.h" 24 #include "include/policy.h" 25 26 27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) 28 { 29 if (flags & MS_RDONLY) 30 audit_log_format(ab, "ro"); 31 else 32 audit_log_format(ab, "rw"); 33 if (flags & MS_NOSUID) 34 audit_log_format(ab, ", nosuid"); 35 if (flags & MS_NODEV) 36 audit_log_format(ab, ", nodev"); 37 if (flags & MS_NOEXEC) 38 audit_log_format(ab, ", noexec"); 39 if (flags & MS_SYNCHRONOUS) 40 audit_log_format(ab, ", sync"); 41 if (flags & MS_REMOUNT) 42 audit_log_format(ab, ", remount"); 43 if (flags & MS_MANDLOCK) 44 audit_log_format(ab, ", mand"); 45 if (flags & MS_DIRSYNC) 46 audit_log_format(ab, ", dirsync"); 47 if (flags & MS_NOSYMFOLLOW) 48 audit_log_format(ab, ", nosymfollow"); 49 if (flags & MS_NOATIME) 50 audit_log_format(ab, ", noatime"); 51 if (flags & MS_NODIRATIME) 52 audit_log_format(ab, ", nodiratime"); 53 if (flags & MS_BIND) 54 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); 55 if (flags & MS_MOVE) 56 audit_log_format(ab, ", move"); 57 if (flags & MS_SILENT) 58 audit_log_format(ab, ", silent"); 59 if (flags & MS_POSIXACL) 60 audit_log_format(ab, ", acl"); 61 if (flags & MS_UNBINDABLE) 62 audit_log_format(ab, flags & MS_REC ? ", runbindable" : 63 ", unbindable"); 64 if (flags & MS_PRIVATE) 65 audit_log_format(ab, flags & MS_REC ? ", rprivate" : 66 ", private"); 67 if (flags & MS_SLAVE) 68 audit_log_format(ab, flags & MS_REC ? ", rslave" : 69 ", slave"); 70 if (flags & MS_SHARED) 71 audit_log_format(ab, flags & MS_REC ? ", rshared" : 72 ", shared"); 73 if (flags & MS_RELATIME) 74 audit_log_format(ab, ", relatime"); 75 if (flags & MS_I_VERSION) 76 audit_log_format(ab, ", iversion"); 77 if (flags & MS_STRICTATIME) 78 audit_log_format(ab, ", strictatime"); 79 if (flags & MS_NOUSER) 80 audit_log_format(ab, ", nouser"); 81 } 82 83 /** 84 * audit_cb - call back for mount specific audit fields 85 * @ab: audit_buffer (NOT NULL) 86 * @va: audit struct to audit values of (NOT NULL) 87 */ 88 static void audit_cb(struct audit_buffer *ab, void *va) 89 { 90 struct common_audit_data *sa = va; 91 struct apparmor_audit_data *ad = aad(sa); 92 93 if (ad->mnt.type) { 94 audit_log_format(ab, " fstype="); 95 audit_log_untrustedstring(ab, ad->mnt.type); 96 } 97 if (ad->mnt.src_name) { 98 audit_log_format(ab, " srcname="); 99 audit_log_untrustedstring(ab, ad->mnt.src_name); 100 } 101 if (ad->mnt.trans) { 102 audit_log_format(ab, " trans="); 103 audit_log_untrustedstring(ab, ad->mnt.trans); 104 } 105 if (ad->mnt.flags) { 106 audit_log_format(ab, " flags=\""); 107 audit_mnt_flags(ab, ad->mnt.flags); 108 audit_log_format(ab, "\""); 109 } 110 if (ad->mnt.data) { 111 audit_log_format(ab, " options="); 112 audit_log_untrustedstring(ab, ad->mnt.data); 113 } 114 } 115 116 /** 117 * audit_mount - handle the auditing of mount operations 118 * @subj_cred: cred of the subject 119 * @profile: the profile being enforced (NOT NULL) 120 * @op: operation being mediated (NOT NULL) 121 * @name: name of object being mediated (MAYBE NULL) 122 * @src_name: src_name of object being mediated (MAYBE_NULL) 123 * @type: type of filesystem (MAYBE_NULL) 124 * @trans: name of trans (MAYBE NULL) 125 * @flags: filesystem independent mount flags 126 * @data: filesystem mount flags 127 * @request: permissions requested 128 * @perms: the permissions computed for the request (NOT NULL) 129 * @info: extra information message (MAYBE NULL) 130 * @error: 0 if operation allowed else failure error code 131 * 132 * Returns: %0 or error on failure 133 */ 134 static int audit_mount(const struct cred *subj_cred, 135 struct aa_profile *profile, const char *op, 136 const char *name, const char *src_name, 137 const char *type, const char *trans, 138 unsigned long flags, const void *data, u32 request, 139 struct aa_perms *perms, const char *info, int error) 140 { 141 int audit_type = AUDIT_APPARMOR_AUTO; 142 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); 143 144 if (likely(!error)) { 145 u32 mask = perms->audit; 146 147 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) 148 mask = 0xffff; 149 150 /* mask off perms that are not being force audited */ 151 request &= mask; 152 153 if (likely(!request)) 154 return 0; 155 audit_type = AUDIT_APPARMOR_AUDIT; 156 } else { 157 /* only report permissions that were denied */ 158 request = request & ~perms->allow; 159 160 if (request & perms->kill) 161 audit_type = AUDIT_APPARMOR_KILL; 162 163 /* quiet known rejects, assumes quiet and kill do not overlap */ 164 if ((request & perms->quiet) && 165 AUDIT_MODE(profile) != AUDIT_NOQUIET && 166 AUDIT_MODE(profile) != AUDIT_ALL) 167 request &= ~perms->quiet; 168 169 if (!request) 170 return error; 171 } 172 173 ad.subj_cred = subj_cred; 174 ad.name = name; 175 ad.mnt.src_name = src_name; 176 ad.mnt.type = type; 177 ad.mnt.trans = trans; 178 ad.mnt.flags = flags; 179 if (data && (perms->audit & AA_AUDIT_DATA)) 180 ad.mnt.data = data; 181 ad.info = info; 182 ad.error = error; 183 184 return aa_audit(audit_type, profile, &ad, audit_cb); 185 } 186 187 /** 188 * match_mnt_flags - Do an ordered match on mount flags 189 * @dfa: dfa to match against 190 * @state: state to start in 191 * @flags: mount flags to match against 192 * 193 * Mount flags are encoded as an ordered match. This is done instead of 194 * checking against a simple bitmask, to allow for logical operations 195 * on the flags. 196 * 197 * Returns: next state after flags match 198 */ 199 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, 200 unsigned long flags) 201 { 202 unsigned int i; 203 204 for (i = 0; i <= 31 ; ++i) { 205 if ((1 << i) & flags) 206 state = aa_dfa_next(dfa, state, i + 1); 207 } 208 209 return state; 210 } 211 212 static const char * const mnt_info_table[] = { 213 "match succeeded", 214 "failed mntpnt match", 215 "failed srcname match", 216 "failed type match", 217 "failed flags match", 218 "failed data match", 219 "failed perms check" 220 }; 221 222 /* 223 * Returns 0 on success else element that match failed in, this is the 224 * index into the mnt_info_table above 225 */ 226 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, 227 const char *mntpnt, const char *devname, 228 const char *type, unsigned long flags, 229 void *data, bool binary, struct aa_perms *perms) 230 { 231 aa_state_t state; 232 233 AA_BUG(!policy); 234 AA_BUG(!policy->dfa); 235 AA_BUG(!policy->perms); 236 AA_BUG(!perms); 237 238 state = aa_dfa_match(policy->dfa, start, mntpnt); 239 state = aa_dfa_null_transition(policy->dfa, state); 240 if (!state) 241 return 1; 242 243 if (devname) 244 state = aa_dfa_match(policy->dfa, state, devname); 245 state = aa_dfa_null_transition(policy->dfa, state); 246 if (!state) 247 return 2; 248 249 if (type) 250 state = aa_dfa_match(policy->dfa, state, type); 251 state = aa_dfa_null_transition(policy->dfa, state); 252 if (!state) 253 return 3; 254 255 state = match_mnt_flags(policy->dfa, state, flags); 256 if (!state) 257 return 4; 258 *perms = *aa_lookup_perms(policy, state); 259 if (perms->allow & AA_MAY_MOUNT) 260 return 0; 261 262 /* only match data if not binary and the DFA flags data is expected */ 263 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { 264 state = aa_dfa_null_transition(policy->dfa, state); 265 if (!state) 266 return 4; 267 268 state = aa_dfa_match(policy->dfa, state, data); 269 if (!state) 270 return 5; 271 *perms = *aa_lookup_perms(policy, state); 272 if (perms->allow & AA_MAY_MOUNT) 273 return 0; 274 } 275 276 /* failed at perms check, don't confuse with flags match */ 277 return 6; 278 } 279 280 281 static int path_flags(struct aa_profile *profile, const struct path *path) 282 { 283 AA_BUG(!profile); 284 AA_BUG(!path); 285 286 return profile->path_flags | 287 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); 288 } 289 290 /** 291 * match_mnt_path_str - handle path matching for mount 292 * @subj_cred: cred of confined subject 293 * @profile: the confining profile 294 * @mntpath: for the mntpnt (NOT NULL) 295 * @buffer: buffer to be used to lookup mntpath 296 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) 297 * @type: string for the dev type (MAYBE NULL) 298 * @flags: mount flags to match 299 * @data: fs mount data (MAYBE NULL) 300 * @binary: whether @data is binary 301 * @devinfo: error str if (IS_ERR(@devname)) 302 * 303 * Returns: 0 on success else error 304 */ 305 static int match_mnt_path_str(const struct cred *subj_cred, 306 struct aa_profile *profile, 307 const struct path *mntpath, char *buffer, 308 const char *devname, const char *type, 309 unsigned long flags, void *data, bool binary, 310 const char *devinfo) 311 { 312 struct aa_perms perms = { }; 313 const char *mntpnt = NULL, *info = NULL; 314 struct aa_ruleset *rules = list_first_entry(&profile->rules, 315 typeof(*rules), list); 316 int pos, error; 317 318 AA_BUG(!profile); 319 AA_BUG(!mntpath); 320 AA_BUG(!buffer); 321 322 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 323 return 0; 324 325 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 326 &mntpnt, &info, profile->disconnected); 327 if (error) 328 goto audit; 329 if (IS_ERR(devname)) { 330 error = PTR_ERR(devname); 331 devname = NULL; 332 info = devinfo; 333 goto audit; 334 } 335 336 error = -EACCES; 337 pos = do_match_mnt(rules->policy, 338 rules->policy->start[AA_CLASS_MOUNT], 339 mntpnt, devname, type, flags, data, binary, &perms); 340 if (pos) { 341 info = mnt_info_table[pos]; 342 goto audit; 343 } 344 error = 0; 345 346 audit: 347 return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname, 348 type, NULL, 349 flags, data, AA_MAY_MOUNT, &perms, info, error); 350 } 351 352 /** 353 * match_mnt - handle path matching for mount 354 * @subj_cred: cred of the subject 355 * @profile: the confining profile 356 * @path: for the mntpnt (NOT NULL) 357 * @buffer: buffer to be used to lookup mntpath 358 * @devpath: path devname/src_name (MAYBE NULL) 359 * @devbuffer: buffer to be used to lookup devname/src_name 360 * @type: string for the dev type (MAYBE NULL) 361 * @flags: mount flags to match 362 * @data: fs mount data (MAYBE NULL) 363 * @binary: whether @data is binary 364 * 365 * Returns: 0 on success else error 366 */ 367 static int match_mnt(const struct cred *subj_cred, 368 struct aa_profile *profile, const struct path *path, 369 char *buffer, const struct path *devpath, char *devbuffer, 370 const char *type, unsigned long flags, void *data, 371 bool binary) 372 { 373 const char *devname = NULL, *info = NULL; 374 struct aa_ruleset *rules = list_first_entry(&profile->rules, 375 typeof(*rules), list); 376 int error = -EACCES; 377 378 AA_BUG(!profile); 379 AA_BUG(devpath && !devbuffer); 380 381 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 382 return 0; 383 384 if (devpath) { 385 error = aa_path_name(devpath, path_flags(profile, devpath), 386 devbuffer, &devname, &info, 387 profile->disconnected); 388 if (error) 389 devname = ERR_PTR(error); 390 } 391 392 return match_mnt_path_str(subj_cred, profile, path, buffer, devname, 393 type, flags, data, binary, info); 394 } 395 396 int aa_remount(const struct cred *subj_cred, 397 struct aa_label *label, const struct path *path, 398 unsigned long flags, void *data) 399 { 400 struct aa_profile *profile; 401 char *buffer = NULL; 402 bool binary; 403 int error; 404 405 AA_BUG(!label); 406 AA_BUG(!path); 407 408 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; 409 410 buffer = aa_get_buffer(false); 411 if (!buffer) 412 return -ENOMEM; 413 error = fn_for_each_confined(label, profile, 414 match_mnt(subj_cred, profile, path, buffer, NULL, 415 NULL, NULL, 416 flags, data, binary)); 417 aa_put_buffer(buffer); 418 419 return error; 420 } 421 422 int aa_bind_mount(const struct cred *subj_cred, 423 struct aa_label *label, const struct path *path, 424 const char *dev_name, unsigned long flags) 425 { 426 struct aa_profile *profile; 427 char *buffer = NULL, *old_buffer = NULL; 428 struct path old_path; 429 int error; 430 431 AA_BUG(!label); 432 AA_BUG(!path); 433 434 if (!dev_name || !*dev_name) 435 return -EINVAL; 436 437 flags &= MS_REC | MS_BIND; 438 439 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); 440 if (error) 441 return error; 442 443 buffer = aa_get_buffer(false); 444 old_buffer = aa_get_buffer(false); 445 error = -ENOMEM; 446 if (!buffer || !old_buffer) 447 goto out; 448 449 error = fn_for_each_confined(label, profile, 450 match_mnt(subj_cred, profile, path, buffer, &old_path, 451 old_buffer, NULL, flags, NULL, false)); 452 out: 453 aa_put_buffer(buffer); 454 aa_put_buffer(old_buffer); 455 path_put(&old_path); 456 457 return error; 458 } 459 460 int aa_mount_change_type(const struct cred *subj_cred, 461 struct aa_label *label, const struct path *path, 462 unsigned long flags) 463 { 464 struct aa_profile *profile; 465 char *buffer = NULL; 466 int error; 467 468 AA_BUG(!label); 469 AA_BUG(!path); 470 471 /* These are the flags allowed by do_change_type() */ 472 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | 473 MS_UNBINDABLE); 474 475 buffer = aa_get_buffer(false); 476 if (!buffer) 477 return -ENOMEM; 478 error = fn_for_each_confined(label, profile, 479 match_mnt(subj_cred, profile, path, buffer, NULL, 480 NULL, NULL, 481 flags, NULL, false)); 482 aa_put_buffer(buffer); 483 484 return error; 485 } 486 487 int aa_move_mount(const struct cred *subj_cred, 488 struct aa_label *label, const struct path *from_path, 489 const struct path *to_path) 490 { 491 struct aa_profile *profile; 492 char *to_buffer = NULL, *from_buffer = NULL; 493 int error; 494 495 AA_BUG(!label); 496 AA_BUG(!from_path); 497 AA_BUG(!to_path); 498 499 to_buffer = aa_get_buffer(false); 500 from_buffer = aa_get_buffer(false); 501 error = -ENOMEM; 502 if (!to_buffer || !from_buffer) 503 goto out; 504 505 if (!our_mnt(from_path->mnt)) 506 /* moving a mount detached from the namespace */ 507 from_path = NULL; 508 error = fn_for_each_confined(label, profile, 509 match_mnt(subj_cred, profile, to_path, to_buffer, 510 from_path, from_buffer, 511 NULL, MS_MOVE, NULL, false)); 512 out: 513 aa_put_buffer(to_buffer); 514 aa_put_buffer(from_buffer); 515 516 return error; 517 } 518 519 int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, 520 const struct path *path, const char *orig_name) 521 { 522 struct path old_path; 523 int error; 524 525 if (!orig_name || !*orig_name) 526 return -EINVAL; 527 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); 528 if (error) 529 return error; 530 531 error = aa_move_mount(subj_cred, label, &old_path, path); 532 path_put(&old_path); 533 534 return error; 535 } 536 537 int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, 538 const char *dev_name, const struct path *path, 539 const char *type, unsigned long flags, void *data) 540 { 541 struct aa_profile *profile; 542 char *buffer = NULL, *dev_buffer = NULL; 543 bool binary = true; 544 int error; 545 int requires_dev = 0; 546 struct path tmp_path, *dev_path = NULL; 547 548 AA_BUG(!label); 549 AA_BUG(!path); 550 551 if (type) { 552 struct file_system_type *fstype; 553 554 fstype = get_fs_type(type); 555 if (!fstype) 556 return -ENODEV; 557 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; 558 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; 559 put_filesystem(fstype); 560 561 if (requires_dev) { 562 if (!dev_name || !*dev_name) 563 return -ENOENT; 564 565 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); 566 if (error) 567 return error; 568 dev_path = &tmp_path; 569 } 570 } 571 572 buffer = aa_get_buffer(false); 573 if (!buffer) { 574 error = -ENOMEM; 575 goto out; 576 } 577 if (dev_path) { 578 dev_buffer = aa_get_buffer(false); 579 if (!dev_buffer) { 580 error = -ENOMEM; 581 goto out; 582 } 583 error = fn_for_each_confined(label, profile, 584 match_mnt(subj_cred, profile, path, buffer, 585 dev_path, dev_buffer, 586 type, flags, data, binary)); 587 } else { 588 error = fn_for_each_confined(label, profile, 589 match_mnt_path_str(subj_cred, profile, path, 590 buffer, dev_name, 591 type, flags, data, binary, NULL)); 592 } 593 594 out: 595 aa_put_buffer(buffer); 596 aa_put_buffer(dev_buffer); 597 if (dev_path) 598 path_put(dev_path); 599 600 return error; 601 } 602 603 static int profile_umount(const struct cred *subj_cred, 604 struct aa_profile *profile, const struct path *path, 605 char *buffer) 606 { 607 struct aa_ruleset *rules = list_first_entry(&profile->rules, 608 typeof(*rules), list); 609 struct aa_perms perms = { }; 610 const char *name = NULL, *info = NULL; 611 aa_state_t state; 612 int error; 613 614 AA_BUG(!profile); 615 AA_BUG(!path); 616 617 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 618 return 0; 619 620 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 621 &info, profile->disconnected); 622 if (error) 623 goto audit; 624 625 state = aa_dfa_match(rules->policy->dfa, 626 rules->policy->start[AA_CLASS_MOUNT], 627 name); 628 perms = *aa_lookup_perms(rules->policy, state); 629 if (AA_MAY_UMOUNT & ~perms.allow) 630 error = -EACCES; 631 632 audit: 633 return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL, 634 NULL, 0, NULL, 635 AA_MAY_UMOUNT, &perms, info, error); 636 } 637 638 int aa_umount(const struct cred *subj_cred, struct aa_label *label, 639 struct vfsmount *mnt, int flags) 640 { 641 struct aa_profile *profile; 642 char *buffer = NULL; 643 int error; 644 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 645 646 AA_BUG(!label); 647 AA_BUG(!mnt); 648 649 buffer = aa_get_buffer(false); 650 if (!buffer) 651 return -ENOMEM; 652 653 error = fn_for_each_confined(label, profile, 654 profile_umount(subj_cred, profile, &path, buffer)); 655 aa_put_buffer(buffer); 656 657 return error; 658 } 659 660 /* helper fn for transition on pivotroot 661 * 662 * Returns: label for transition or ERR_PTR. Does not return NULL 663 */ 664 static struct aa_label *build_pivotroot(const struct cred *subj_cred, 665 struct aa_profile *profile, 666 const struct path *new_path, 667 char *new_buffer, 668 const struct path *old_path, 669 char *old_buffer) 670 { 671 struct aa_ruleset *rules = list_first_entry(&profile->rules, 672 typeof(*rules), list); 673 const char *old_name, *new_name = NULL, *info = NULL; 674 const char *trans_name = NULL; 675 struct aa_perms perms = { }; 676 aa_state_t state; 677 int error; 678 679 AA_BUG(!profile); 680 AA_BUG(!new_path); 681 AA_BUG(!old_path); 682 683 if (profile_unconfined(profile) || 684 !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 685 return aa_get_newest_label(&profile->label); 686 687 error = aa_path_name(old_path, path_flags(profile, old_path), 688 old_buffer, &old_name, &info, 689 profile->disconnected); 690 if (error) 691 goto audit; 692 error = aa_path_name(new_path, path_flags(profile, new_path), 693 new_buffer, &new_name, &info, 694 profile->disconnected); 695 if (error) 696 goto audit; 697 698 error = -EACCES; 699 state = aa_dfa_match(rules->policy->dfa, 700 rules->policy->start[AA_CLASS_MOUNT], 701 new_name); 702 state = aa_dfa_null_transition(rules->policy->dfa, state); 703 state = aa_dfa_match(rules->policy->dfa, state, old_name); 704 perms = *aa_lookup_perms(rules->policy, state); 705 706 if (AA_MAY_PIVOTROOT & perms.allow) 707 error = 0; 708 709 audit: 710 error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name, 711 old_name, 712 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, 713 &perms, info, error); 714 if (error) 715 return ERR_PTR(error); 716 717 return aa_get_newest_label(&profile->label); 718 } 719 720 int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label, 721 const struct path *old_path, 722 const struct path *new_path) 723 { 724 struct aa_profile *profile; 725 struct aa_label *target = NULL; 726 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; 727 int error; 728 729 AA_BUG(!label); 730 AA_BUG(!old_path); 731 AA_BUG(!new_path); 732 733 old_buffer = aa_get_buffer(false); 734 new_buffer = aa_get_buffer(false); 735 error = -ENOMEM; 736 if (!old_buffer || !new_buffer) 737 goto out; 738 target = fn_label_build(label, profile, GFP_KERNEL, 739 build_pivotroot(subj_cred, profile, new_path, 740 new_buffer, 741 old_path, old_buffer)); 742 if (!target) { 743 info = "label build failed"; 744 error = -ENOMEM; 745 goto fail; 746 } else if (!IS_ERR(target)) { 747 error = aa_replace_current_label(target); 748 if (error) { 749 /* TODO: audit target */ 750 aa_put_label(target); 751 goto out; 752 } 753 aa_put_label(target); 754 } else 755 /* already audited error */ 756 error = PTR_ERR(target); 757 out: 758 aa_put_buffer(old_buffer); 759 aa_put_buffer(new_buffer); 760 761 return error; 762 763 fail: 764 /* TODO: add back in auditing of new_name and old_name */ 765 error = fn_for_each(label, profile, 766 audit_mount(subj_cred, profile, OP_PIVOTROOT, 767 NULL /*new_name */, 768 NULL /* old_name */, 769 NULL, NULL, 770 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, 771 error)); 772 goto out; 773 } 774