1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor mediation of files
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2017 Canonical Ltd.
9 */
10
11 #include <linux/fs.h>
12 #include <linux/mount.h>
13 #include <linux/namei.h>
14 #include <uapi/linux/mount.h>
15
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/cred.h"
19 #include "include/domain.h"
20 #include "include/file.h"
21 #include "include/match.h"
22 #include "include/mount.h"
23 #include "include/path.h"
24 #include "include/policy.h"
25
26
audit_mnt_flags(struct audit_buffer * ab,unsigned long flags)27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
28 {
29 if (flags & MS_RDONLY)
30 audit_log_format(ab, "ro");
31 else
32 audit_log_format(ab, "rw");
33 if (flags & MS_NOSUID)
34 audit_log_format(ab, ", nosuid");
35 if (flags & MS_NODEV)
36 audit_log_format(ab, ", nodev");
37 if (flags & MS_NOEXEC)
38 audit_log_format(ab, ", noexec");
39 if (flags & MS_SYNCHRONOUS)
40 audit_log_format(ab, ", sync");
41 if (flags & MS_REMOUNT)
42 audit_log_format(ab, ", remount");
43 if (flags & MS_MANDLOCK)
44 audit_log_format(ab, ", mand");
45 if (flags & MS_DIRSYNC)
46 audit_log_format(ab, ", dirsync");
47 if (flags & MS_NOATIME)
48 audit_log_format(ab, ", noatime");
49 if (flags & MS_NODIRATIME)
50 audit_log_format(ab, ", nodiratime");
51 if (flags & MS_BIND)
52 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
53 if (flags & MS_MOVE)
54 audit_log_format(ab, ", move");
55 if (flags & MS_SILENT)
56 audit_log_format(ab, ", silent");
57 if (flags & MS_POSIXACL)
58 audit_log_format(ab, ", acl");
59 if (flags & MS_UNBINDABLE)
60 audit_log_format(ab, flags & MS_REC ? ", runbindable" :
61 ", unbindable");
62 if (flags & MS_PRIVATE)
63 audit_log_format(ab, flags & MS_REC ? ", rprivate" :
64 ", private");
65 if (flags & MS_SLAVE)
66 audit_log_format(ab, flags & MS_REC ? ", rslave" :
67 ", slave");
68 if (flags & MS_SHARED)
69 audit_log_format(ab, flags & MS_REC ? ", rshared" :
70 ", shared");
71 if (flags & MS_RELATIME)
72 audit_log_format(ab, ", relatime");
73 if (flags & MS_I_VERSION)
74 audit_log_format(ab, ", iversion");
75 if (flags & MS_STRICTATIME)
76 audit_log_format(ab, ", strictatime");
77 if (flags & MS_NOUSER)
78 audit_log_format(ab, ", nouser");
79 }
80
81 /**
82 * audit_cb - call back for mount specific audit fields
83 * @ab: audit_buffer (NOT NULL)
84 * @va: audit struct to audit values of (NOT NULL)
85 */
audit_cb(struct audit_buffer * ab,void * va)86 static void audit_cb(struct audit_buffer *ab, void *va)
87 {
88 struct common_audit_data *sa = va;
89 struct apparmor_audit_data *ad = aad(sa);
90
91 if (ad->mnt.type) {
92 audit_log_format(ab, " fstype=");
93 audit_log_untrustedstring(ab, ad->mnt.type);
94 }
95 if (ad->mnt.src_name) {
96 audit_log_format(ab, " srcname=");
97 audit_log_untrustedstring(ab, ad->mnt.src_name);
98 }
99 if (ad->mnt.trans) {
100 audit_log_format(ab, " trans=");
101 audit_log_untrustedstring(ab, ad->mnt.trans);
102 }
103 if (ad->mnt.flags) {
104 audit_log_format(ab, " flags=\"");
105 audit_mnt_flags(ab, ad->mnt.flags);
106 audit_log_format(ab, "\"");
107 }
108 if (ad->mnt.data) {
109 audit_log_format(ab, " options=");
110 audit_log_untrustedstring(ab, ad->mnt.data);
111 }
112 }
113
114 /**
115 * audit_mount - handle the auditing of mount operations
116 * @subj_cred: cred of the subject
117 * @profile: the profile being enforced (NOT NULL)
118 * @op: operation being mediated (NOT NULL)
119 * @name: name of object being mediated (MAYBE NULL)
120 * @src_name: src_name of object being mediated (MAYBE_NULL)
121 * @type: type of filesystem (MAYBE_NULL)
122 * @trans: name of trans (MAYBE NULL)
123 * @flags: filesystem independent mount flags
124 * @data: filesystem mount flags
125 * @request: permissions requested
126 * @perms: the permissions computed for the request (NOT NULL)
127 * @info: extra information message (MAYBE NULL)
128 * @error: 0 if operation allowed else failure error code
129 *
130 * Returns: %0 or error on failure
131 */
audit_mount(const struct cred * subj_cred,struct aa_profile * profile,const char * op,const char * name,const char * src_name,const char * type,const char * trans,unsigned long flags,const void * data,u32 request,struct aa_perms * perms,const char * info,int error)132 static int audit_mount(const struct cred *subj_cred,
133 struct aa_profile *profile, const char *op,
134 const char *name, const char *src_name,
135 const char *type, const char *trans,
136 unsigned long flags, const void *data, u32 request,
137 struct aa_perms *perms, const char *info, int error)
138 {
139 int audit_type = AUDIT_APPARMOR_AUTO;
140 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
141
142 if (likely(!error)) {
143 u32 mask = perms->audit;
144
145 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
146 mask = 0xffff;
147
148 /* mask off perms that are not being force audited */
149 request &= mask;
150
151 if (likely(!request))
152 return 0;
153 audit_type = AUDIT_APPARMOR_AUDIT;
154 } else {
155 /* only report permissions that were denied */
156 request = request & ~perms->allow;
157
158 if (request & perms->kill)
159 audit_type = AUDIT_APPARMOR_KILL;
160
161 /* quiet known rejects, assumes quiet and kill do not overlap */
162 if ((request & perms->quiet) &&
163 AUDIT_MODE(profile) != AUDIT_NOQUIET &&
164 AUDIT_MODE(profile) != AUDIT_ALL)
165 request &= ~perms->quiet;
166
167 if (!request)
168 return error;
169 }
170
171 ad.subj_cred = subj_cred;
172 ad.name = name;
173 ad.mnt.src_name = src_name;
174 ad.mnt.type = type;
175 ad.mnt.trans = trans;
176 ad.mnt.flags = flags;
177 if (data && (perms->audit & AA_AUDIT_DATA))
178 ad.mnt.data = data;
179 ad.info = info;
180 ad.error = error;
181
182 return aa_audit(audit_type, profile, &ad, audit_cb);
183 }
184
185 /**
186 * match_mnt_flags - Do an ordered match on mount flags
187 * @dfa: dfa to match against
188 * @state: state to start in
189 * @flags: mount flags to match against
190 *
191 * Mount flags are encoded as an ordered match. This is done instead of
192 * checking against a simple bitmask, to allow for logical operations
193 * on the flags.
194 *
195 * Returns: next state after flags match
196 */
match_mnt_flags(struct aa_dfa * dfa,aa_state_t state,unsigned long flags)197 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
198 unsigned long flags)
199 {
200 unsigned int i;
201
202 for (i = 0; i <= 31 ; ++i) {
203 if ((1 << i) & flags)
204 state = aa_dfa_next(dfa, state, i + 1);
205 }
206
207 return state;
208 }
209
210 static const char * const mnt_info_table[] = {
211 "match succeeded",
212 "failed mntpnt match",
213 "failed srcname match",
214 "failed type match",
215 "failed flags match",
216 "failed data match",
217 "failed perms check"
218 };
219
220 /*
221 * Returns 0 on success else element that match failed in, this is the
222 * index into the mnt_info_table above
223 */
do_match_mnt(struct aa_policydb * policy,aa_state_t start,const char * mntpnt,const char * devname,const char * type,unsigned long flags,void * data,bool binary,struct aa_perms * perms)224 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
225 const char *mntpnt, const char *devname,
226 const char *type, unsigned long flags,
227 void *data, bool binary, struct aa_perms *perms)
228 {
229 aa_state_t state;
230
231 AA_BUG(!policy);
232 AA_BUG(!policy->dfa);
233 AA_BUG(!policy->perms);
234 AA_BUG(!perms);
235
236 state = aa_dfa_match(policy->dfa, start, mntpnt);
237 state = aa_dfa_null_transition(policy->dfa, state);
238 if (!state)
239 return 1;
240
241 if (devname)
242 state = aa_dfa_match(policy->dfa, state, devname);
243 state = aa_dfa_null_transition(policy->dfa, state);
244 if (!state)
245 return 2;
246
247 if (type)
248 state = aa_dfa_match(policy->dfa, state, type);
249 state = aa_dfa_null_transition(policy->dfa, state);
250 if (!state)
251 return 3;
252
253 state = match_mnt_flags(policy->dfa, state, flags);
254 if (!state)
255 return 4;
256 *perms = *aa_lookup_perms(policy, state);
257 if (perms->allow & AA_MAY_MOUNT)
258 return 0;
259
260 /* only match data if not binary and the DFA flags data is expected */
261 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
262 state = aa_dfa_null_transition(policy->dfa, state);
263 if (!state)
264 return 4;
265
266 state = aa_dfa_match(policy->dfa, state, data);
267 if (!state)
268 return 5;
269 *perms = *aa_lookup_perms(policy, state);
270 if (perms->allow & AA_MAY_MOUNT)
271 return 0;
272 }
273
274 /* failed at perms check, don't confuse with flags match */
275 return 6;
276 }
277
278
path_flags(struct aa_profile * profile,const struct path * path)279 static int path_flags(struct aa_profile *profile, const struct path *path)
280 {
281 AA_BUG(!profile);
282 AA_BUG(!path);
283
284 return profile->path_flags |
285 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
286 }
287
288 /**
289 * match_mnt_path_str - handle path matching for mount
290 * @subj_cred: cred of confined subject
291 * @profile: the confining profile
292 * @mntpath: for the mntpnt (NOT NULL)
293 * @buffer: buffer to be used to lookup mntpath
294 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
295 * @type: string for the dev type (MAYBE NULL)
296 * @flags: mount flags to match
297 * @data: fs mount data (MAYBE NULL)
298 * @binary: whether @data is binary
299 * @devinfo: error str if (IS_ERR(@devname))
300 *
301 * Returns: 0 on success else error
302 */
match_mnt_path_str(const struct cred * subj_cred,struct aa_profile * profile,const struct path * mntpath,char * buffer,const char * devname,const char * type,unsigned long flags,void * data,bool binary,const char * devinfo)303 static int match_mnt_path_str(const struct cred *subj_cred,
304 struct aa_profile *profile,
305 const struct path *mntpath, char *buffer,
306 const char *devname, const char *type,
307 unsigned long flags, void *data, bool binary,
308 const char *devinfo)
309 {
310 struct aa_perms perms = { };
311 const char *mntpnt = NULL, *info = NULL;
312 struct aa_ruleset *rules = list_first_entry(&profile->rules,
313 typeof(*rules), list);
314 int pos, error;
315
316 AA_BUG(!profile);
317 AA_BUG(!mntpath);
318 AA_BUG(!buffer);
319
320 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
321 return 0;
322
323 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
324 &mntpnt, &info, profile->disconnected);
325 if (error)
326 goto audit;
327 if (IS_ERR(devname)) {
328 error = PTR_ERR(devname);
329 devname = NULL;
330 info = devinfo;
331 goto audit;
332 }
333
334 error = -EACCES;
335 pos = do_match_mnt(&rules->policy,
336 rules->policy.start[AA_CLASS_MOUNT],
337 mntpnt, devname, type, flags, data, binary, &perms);
338 if (pos) {
339 info = mnt_info_table[pos];
340 goto audit;
341 }
342 error = 0;
343
344 audit:
345 return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname,
346 type, NULL,
347 flags, data, AA_MAY_MOUNT, &perms, info, error);
348 }
349
350 /**
351 * match_mnt - handle path matching for mount
352 * @subj_cred: cred of the subject
353 * @profile: the confining profile
354 * @path: for the mntpnt (NOT NULL)
355 * @buffer: buffer to be used to lookup mntpath
356 * @devpath: path devname/src_name (MAYBE NULL)
357 * @devbuffer: buffer to be used to lookup devname/src_name
358 * @type: string for the dev type (MAYBE NULL)
359 * @flags: mount flags to match
360 * @data: fs mount data (MAYBE NULL)
361 * @binary: whether @data is binary
362 *
363 * Returns: 0 on success else error
364 */
match_mnt(const struct cred * subj_cred,struct aa_profile * profile,const struct path * path,char * buffer,const struct path * devpath,char * devbuffer,const char * type,unsigned long flags,void * data,bool binary)365 static int match_mnt(const struct cred *subj_cred,
366 struct aa_profile *profile, const struct path *path,
367 char *buffer, const struct path *devpath, char *devbuffer,
368 const char *type, unsigned long flags, void *data,
369 bool binary)
370 {
371 const char *devname = NULL, *info = NULL;
372 struct aa_ruleset *rules = list_first_entry(&profile->rules,
373 typeof(*rules), list);
374 int error = -EACCES;
375
376 AA_BUG(!profile);
377 AA_BUG(devpath && !devbuffer);
378
379 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
380 return 0;
381
382 if (devpath) {
383 error = aa_path_name(devpath, path_flags(profile, devpath),
384 devbuffer, &devname, &info,
385 profile->disconnected);
386 if (error)
387 devname = ERR_PTR(error);
388 }
389
390 return match_mnt_path_str(subj_cred, profile, path, buffer, devname,
391 type, flags, data, binary, info);
392 }
393
aa_remount(const struct cred * subj_cred,struct aa_label * label,const struct path * path,unsigned long flags,void * data)394 int aa_remount(const struct cred *subj_cred,
395 struct aa_label *label, const struct path *path,
396 unsigned long flags, void *data)
397 {
398 struct aa_profile *profile;
399 char *buffer = NULL;
400 bool binary;
401 int error;
402
403 AA_BUG(!label);
404 AA_BUG(!path);
405
406 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
407
408 buffer = aa_get_buffer(false);
409 if (!buffer)
410 return -ENOMEM;
411 error = fn_for_each_confined(label, profile,
412 match_mnt(subj_cred, profile, path, buffer, NULL,
413 NULL, NULL,
414 flags, data, binary));
415 aa_put_buffer(buffer);
416
417 return error;
418 }
419
aa_bind_mount(const struct cred * subj_cred,struct aa_label * label,const struct path * path,const char * dev_name,unsigned long flags)420 int aa_bind_mount(const struct cred *subj_cred,
421 struct aa_label *label, const struct path *path,
422 const char *dev_name, unsigned long flags)
423 {
424 struct aa_profile *profile;
425 char *buffer = NULL, *old_buffer = NULL;
426 struct path old_path;
427 int error;
428
429 AA_BUG(!label);
430 AA_BUG(!path);
431
432 if (!dev_name || !*dev_name)
433 return -EINVAL;
434
435 flags &= MS_REC | MS_BIND;
436
437 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
438 if (error)
439 return error;
440
441 buffer = aa_get_buffer(false);
442 old_buffer = aa_get_buffer(false);
443 error = -ENOMEM;
444 if (!buffer || !old_buffer)
445 goto out;
446
447 error = fn_for_each_confined(label, profile,
448 match_mnt(subj_cred, profile, path, buffer, &old_path,
449 old_buffer, NULL, flags, NULL, false));
450 out:
451 aa_put_buffer(buffer);
452 aa_put_buffer(old_buffer);
453 path_put(&old_path);
454
455 return error;
456 }
457
aa_mount_change_type(const struct cred * subj_cred,struct aa_label * label,const struct path * path,unsigned long flags)458 int aa_mount_change_type(const struct cred *subj_cred,
459 struct aa_label *label, const struct path *path,
460 unsigned long flags)
461 {
462 struct aa_profile *profile;
463 char *buffer = NULL;
464 int error;
465
466 AA_BUG(!label);
467 AA_BUG(!path);
468
469 /* These are the flags allowed by do_change_type() */
470 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
471 MS_UNBINDABLE);
472
473 buffer = aa_get_buffer(false);
474 if (!buffer)
475 return -ENOMEM;
476 error = fn_for_each_confined(label, profile,
477 match_mnt(subj_cred, profile, path, buffer, NULL,
478 NULL, NULL,
479 flags, NULL, false));
480 aa_put_buffer(buffer);
481
482 return error;
483 }
484
aa_move_mount(const struct cred * subj_cred,struct aa_label * label,const struct path * from_path,const struct path * to_path)485 int aa_move_mount(const struct cred *subj_cred,
486 struct aa_label *label, const struct path *from_path,
487 const struct path *to_path)
488 {
489 struct aa_profile *profile;
490 char *to_buffer = NULL, *from_buffer = NULL;
491 int error;
492
493 AA_BUG(!label);
494 AA_BUG(!from_path);
495 AA_BUG(!to_path);
496
497 to_buffer = aa_get_buffer(false);
498 from_buffer = aa_get_buffer(false);
499 error = -ENOMEM;
500 if (!to_buffer || !from_buffer)
501 goto out;
502
503 if (!our_mnt(from_path->mnt))
504 /* moving a mount detached from the namespace */
505 from_path = NULL;
506 error = fn_for_each_confined(label, profile,
507 match_mnt(subj_cred, profile, to_path, to_buffer,
508 from_path, from_buffer,
509 NULL, MS_MOVE, NULL, false));
510 out:
511 aa_put_buffer(to_buffer);
512 aa_put_buffer(from_buffer);
513
514 return error;
515 }
516
aa_move_mount_old(const struct cred * subj_cred,struct aa_label * label,const struct path * path,const char * orig_name)517 int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label,
518 const struct path *path, const char *orig_name)
519 {
520 struct path old_path;
521 int error;
522
523 if (!orig_name || !*orig_name)
524 return -EINVAL;
525 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
526 if (error)
527 return error;
528
529 error = aa_move_mount(subj_cred, label, &old_path, path);
530 path_put(&old_path);
531
532 return error;
533 }
534
aa_new_mount(const struct cred * subj_cred,struct aa_label * label,const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)535 int aa_new_mount(const struct cred *subj_cred, struct aa_label *label,
536 const char *dev_name, const struct path *path,
537 const char *type, unsigned long flags, void *data)
538 {
539 struct aa_profile *profile;
540 char *buffer = NULL, *dev_buffer = NULL;
541 bool binary = true;
542 int error;
543 int requires_dev = 0;
544 struct path tmp_path, *dev_path = NULL;
545
546 AA_BUG(!label);
547 AA_BUG(!path);
548
549 if (type) {
550 struct file_system_type *fstype;
551
552 fstype = get_fs_type(type);
553 if (!fstype)
554 return -ENODEV;
555 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
556 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
557 put_filesystem(fstype);
558
559 if (requires_dev) {
560 if (!dev_name || !*dev_name)
561 return -ENOENT;
562
563 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
564 if (error)
565 return error;
566 dev_path = &tmp_path;
567 }
568 }
569
570 buffer = aa_get_buffer(false);
571 if (!buffer) {
572 error = -ENOMEM;
573 goto out;
574 }
575 if (dev_path) {
576 dev_buffer = aa_get_buffer(false);
577 if (!dev_buffer) {
578 error = -ENOMEM;
579 goto out;
580 }
581 error = fn_for_each_confined(label, profile,
582 match_mnt(subj_cred, profile, path, buffer,
583 dev_path, dev_buffer,
584 type, flags, data, binary));
585 } else {
586 error = fn_for_each_confined(label, profile,
587 match_mnt_path_str(subj_cred, profile, path,
588 buffer, dev_name,
589 type, flags, data, binary, NULL));
590 }
591
592 out:
593 aa_put_buffer(buffer);
594 aa_put_buffer(dev_buffer);
595 if (dev_path)
596 path_put(dev_path);
597
598 return error;
599 }
600
profile_umount(const struct cred * subj_cred,struct aa_profile * profile,const struct path * path,char * buffer)601 static int profile_umount(const struct cred *subj_cred,
602 struct aa_profile *profile, const struct path *path,
603 char *buffer)
604 {
605 struct aa_ruleset *rules = list_first_entry(&profile->rules,
606 typeof(*rules), list);
607 struct aa_perms perms = { };
608 const char *name = NULL, *info = NULL;
609 aa_state_t state;
610 int error;
611
612 AA_BUG(!profile);
613 AA_BUG(!path);
614
615 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
616 return 0;
617
618 error = aa_path_name(path, path_flags(profile, path), buffer, &name,
619 &info, profile->disconnected);
620 if (error)
621 goto audit;
622
623 state = aa_dfa_match(rules->policy.dfa,
624 rules->policy.start[AA_CLASS_MOUNT],
625 name);
626 perms = *aa_lookup_perms(&rules->policy, state);
627 if (AA_MAY_UMOUNT & ~perms.allow)
628 error = -EACCES;
629
630 audit:
631 return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
632 NULL, 0, NULL,
633 AA_MAY_UMOUNT, &perms, info, error);
634 }
635
aa_umount(const struct cred * subj_cred,struct aa_label * label,struct vfsmount * mnt,int flags)636 int aa_umount(const struct cred *subj_cred, struct aa_label *label,
637 struct vfsmount *mnt, int flags)
638 {
639 struct aa_profile *profile;
640 char *buffer = NULL;
641 int error;
642 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
643
644 AA_BUG(!label);
645 AA_BUG(!mnt);
646
647 buffer = aa_get_buffer(false);
648 if (!buffer)
649 return -ENOMEM;
650
651 error = fn_for_each_confined(label, profile,
652 profile_umount(subj_cred, profile, &path, buffer));
653 aa_put_buffer(buffer);
654
655 return error;
656 }
657
658 /* helper fn for transition on pivotroot
659 *
660 * Returns: label for transition or ERR_PTR. Does not return NULL
661 */
build_pivotroot(const struct cred * subj_cred,struct aa_profile * profile,const struct path * new_path,char * new_buffer,const struct path * old_path,char * old_buffer)662 static struct aa_label *build_pivotroot(const struct cred *subj_cred,
663 struct aa_profile *profile,
664 const struct path *new_path,
665 char *new_buffer,
666 const struct path *old_path,
667 char *old_buffer)
668 {
669 struct aa_ruleset *rules = list_first_entry(&profile->rules,
670 typeof(*rules), list);
671 const char *old_name, *new_name = NULL, *info = NULL;
672 const char *trans_name = NULL;
673 struct aa_perms perms = { };
674 aa_state_t state;
675 int error;
676
677 AA_BUG(!profile);
678 AA_BUG(!new_path);
679 AA_BUG(!old_path);
680
681 if (profile_unconfined(profile) ||
682 !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
683 return aa_get_newest_label(&profile->label);
684
685 error = aa_path_name(old_path, path_flags(profile, old_path),
686 old_buffer, &old_name, &info,
687 profile->disconnected);
688 if (error)
689 goto audit;
690 error = aa_path_name(new_path, path_flags(profile, new_path),
691 new_buffer, &new_name, &info,
692 profile->disconnected);
693 if (error)
694 goto audit;
695
696 error = -EACCES;
697 state = aa_dfa_match(rules->policy.dfa,
698 rules->policy.start[AA_CLASS_MOUNT],
699 new_name);
700 state = aa_dfa_null_transition(rules->policy.dfa, state);
701 state = aa_dfa_match(rules->policy.dfa, state, old_name);
702 perms = *aa_lookup_perms(&rules->policy, state);
703
704 if (AA_MAY_PIVOTROOT & perms.allow)
705 error = 0;
706
707 audit:
708 error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name,
709 old_name,
710 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
711 &perms, info, error);
712 if (error)
713 return ERR_PTR(error);
714
715 return aa_get_newest_label(&profile->label);
716 }
717
aa_pivotroot(const struct cred * subj_cred,struct aa_label * label,const struct path * old_path,const struct path * new_path)718 int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label,
719 const struct path *old_path,
720 const struct path *new_path)
721 {
722 struct aa_profile *profile;
723 struct aa_label *target = NULL;
724 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
725 int error;
726
727 AA_BUG(!label);
728 AA_BUG(!old_path);
729 AA_BUG(!new_path);
730
731 old_buffer = aa_get_buffer(false);
732 new_buffer = aa_get_buffer(false);
733 error = -ENOMEM;
734 if (!old_buffer || !new_buffer)
735 goto out;
736 target = fn_label_build(label, profile, GFP_KERNEL,
737 build_pivotroot(subj_cred, profile, new_path,
738 new_buffer,
739 old_path, old_buffer));
740 if (!target) {
741 info = "label build failed";
742 error = -ENOMEM;
743 goto fail;
744 } else if (!IS_ERR(target)) {
745 error = aa_replace_current_label(target);
746 if (error) {
747 /* TODO: audit target */
748 aa_put_label(target);
749 goto out;
750 }
751 aa_put_label(target);
752 } else
753 /* already audited error */
754 error = PTR_ERR(target);
755 out:
756 aa_put_buffer(old_buffer);
757 aa_put_buffer(new_buffer);
758
759 return error;
760
761 fail:
762 /* TODO: add back in auditing of new_name and old_name */
763 error = fn_for_each(label, profile,
764 audit_mount(subj_cred, profile, OP_PIVOTROOT,
765 NULL /*new_name */,
766 NULL /* old_name */,
767 NULL, NULL,
768 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
769 error));
770 goto out;
771 }
772