xref: /openbmc/linux/security/apparmor/mount.c (revision 2a12187d)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor mediation of files
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2017 Canonical Ltd.
9  */
10 
11 #include <linux/fs.h>
12 #include <linux/mount.h>
13 #include <linux/namei.h>
14 #include <uapi/linux/mount.h>
15 
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/cred.h"
19 #include "include/domain.h"
20 #include "include/file.h"
21 #include "include/match.h"
22 #include "include/mount.h"
23 #include "include/path.h"
24 #include "include/policy.h"
25 
26 
27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
28 {
29 	if (flags & MS_RDONLY)
30 		audit_log_format(ab, "ro");
31 	else
32 		audit_log_format(ab, "rw");
33 	if (flags & MS_NOSUID)
34 		audit_log_format(ab, ", nosuid");
35 	if (flags & MS_NODEV)
36 		audit_log_format(ab, ", nodev");
37 	if (flags & MS_NOEXEC)
38 		audit_log_format(ab, ", noexec");
39 	if (flags & MS_SYNCHRONOUS)
40 		audit_log_format(ab, ", sync");
41 	if (flags & MS_REMOUNT)
42 		audit_log_format(ab, ", remount");
43 	if (flags & MS_MANDLOCK)
44 		audit_log_format(ab, ", mand");
45 	if (flags & MS_DIRSYNC)
46 		audit_log_format(ab, ", dirsync");
47 	if (flags & MS_NOATIME)
48 		audit_log_format(ab, ", noatime");
49 	if (flags & MS_NODIRATIME)
50 		audit_log_format(ab, ", nodiratime");
51 	if (flags & MS_BIND)
52 		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
53 	if (flags & MS_MOVE)
54 		audit_log_format(ab, ", move");
55 	if (flags & MS_SILENT)
56 		audit_log_format(ab, ", silent");
57 	if (flags & MS_POSIXACL)
58 		audit_log_format(ab, ", acl");
59 	if (flags & MS_UNBINDABLE)
60 		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
61 				 ", unbindable");
62 	if (flags & MS_PRIVATE)
63 		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
64 				 ", private");
65 	if (flags & MS_SLAVE)
66 		audit_log_format(ab, flags & MS_REC ? ", rslave" :
67 				 ", slave");
68 	if (flags & MS_SHARED)
69 		audit_log_format(ab, flags & MS_REC ? ", rshared" :
70 				 ", shared");
71 	if (flags & MS_RELATIME)
72 		audit_log_format(ab, ", relatime");
73 	if (flags & MS_I_VERSION)
74 		audit_log_format(ab, ", iversion");
75 	if (flags & MS_STRICTATIME)
76 		audit_log_format(ab, ", strictatime");
77 	if (flags & MS_NOUSER)
78 		audit_log_format(ab, ", nouser");
79 }
80 
81 /**
82  * audit_cb - call back for mount specific audit fields
83  * @ab: audit_buffer  (NOT NULL)
84  * @va: audit struct to audit values of  (NOT NULL)
85  */
86 static void audit_cb(struct audit_buffer *ab, void *va)
87 {
88 	struct common_audit_data *sa = va;
89 
90 	if (aad(sa)->mnt.type) {
91 		audit_log_format(ab, " fstype=");
92 		audit_log_untrustedstring(ab, aad(sa)->mnt.type);
93 	}
94 	if (aad(sa)->mnt.src_name) {
95 		audit_log_format(ab, " srcname=");
96 		audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
97 	}
98 	if (aad(sa)->mnt.trans) {
99 		audit_log_format(ab, " trans=");
100 		audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
101 	}
102 	if (aad(sa)->mnt.flags) {
103 		audit_log_format(ab, " flags=\"");
104 		audit_mnt_flags(ab, aad(sa)->mnt.flags);
105 		audit_log_format(ab, "\"");
106 	}
107 	if (aad(sa)->mnt.data) {
108 		audit_log_format(ab, " options=");
109 		audit_log_untrustedstring(ab, aad(sa)->mnt.data);
110 	}
111 }
112 
113 /**
114  * audit_mount - handle the auditing of mount operations
115  * @profile: the profile being enforced  (NOT NULL)
116  * @op: operation being mediated (NOT NULL)
117  * @name: name of object being mediated (MAYBE NULL)
118  * @src_name: src_name of object being mediated (MAYBE_NULL)
119  * @type: type of filesystem (MAYBE_NULL)
120  * @trans: name of trans (MAYBE NULL)
121  * @flags: filesystem independent mount flags
122  * @data: filesystem mount flags
123  * @request: permissions requested
124  * @perms: the permissions computed for the request (NOT NULL)
125  * @info: extra information message (MAYBE NULL)
126  * @error: 0 if operation allowed else failure error code
127  *
128  * Returns: %0 or error on failure
129  */
130 static int audit_mount(struct aa_profile *profile, const char *op,
131 		       const char *name, const char *src_name,
132 		       const char *type, const char *trans,
133 		       unsigned long flags, const void *data, u32 request,
134 		       struct aa_perms *perms, const char *info, int error)
135 {
136 	int audit_type = AUDIT_APPARMOR_AUTO;
137 	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
138 
139 	if (likely(!error)) {
140 		u32 mask = perms->audit;
141 
142 		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
143 			mask = 0xffff;
144 
145 		/* mask off perms that are not being force audited */
146 		request &= mask;
147 
148 		if (likely(!request))
149 			return 0;
150 		audit_type = AUDIT_APPARMOR_AUDIT;
151 	} else {
152 		/* only report permissions that were denied */
153 		request = request & ~perms->allow;
154 
155 		if (request & perms->kill)
156 			audit_type = AUDIT_APPARMOR_KILL;
157 
158 		/* quiet known rejects, assumes quiet and kill do not overlap */
159 		if ((request & perms->quiet) &&
160 		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
161 		    AUDIT_MODE(profile) != AUDIT_ALL)
162 			request &= ~perms->quiet;
163 
164 		if (!request)
165 			return error;
166 	}
167 
168 	aad(&sa)->name = name;
169 	aad(&sa)->mnt.src_name = src_name;
170 	aad(&sa)->mnt.type = type;
171 	aad(&sa)->mnt.trans = trans;
172 	aad(&sa)->mnt.flags = flags;
173 	if (data && (perms->audit & AA_AUDIT_DATA))
174 		aad(&sa)->mnt.data = data;
175 	aad(&sa)->info = info;
176 	aad(&sa)->error = error;
177 
178 	return aa_audit(audit_type, profile, &sa, audit_cb);
179 }
180 
181 /**
182  * match_mnt_flags - Do an ordered match on mount flags
183  * @dfa: dfa to match against
184  * @state: state to start in
185  * @flags: mount flags to match against
186  *
187  * Mount flags are encoded as an ordered match. This is done instead of
188  * checking against a simple bitmask, to allow for logical operations
189  * on the flags.
190  *
191  * Returns: next state after flags match
192  */
193 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
194 				    unsigned long flags)
195 {
196 	unsigned int i;
197 
198 	for (i = 0; i <= 31 ; ++i) {
199 		if ((1 << i) & flags)
200 			state = aa_dfa_next(dfa, state, i + 1);
201 	}
202 
203 	return state;
204 }
205 
206 static const char * const mnt_info_table[] = {
207 	"match succeeded",
208 	"failed mntpnt match",
209 	"failed srcname match",
210 	"failed type match",
211 	"failed flags match",
212 	"failed data match",
213 	"failed perms check"
214 };
215 
216 /*
217  * Returns 0 on success else element that match failed in, this is the
218  * index into the mnt_info_table above
219  */
220 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
221 			const char *mntpnt, const char *devname,
222 			const char *type, unsigned long flags,
223 			void *data, bool binary, struct aa_perms *perms)
224 {
225 	aa_state_t state;
226 
227 	AA_BUG(!policy);
228 	AA_BUG(!policy->dfa);
229 	AA_BUG(!policy->perms);
230 	AA_BUG(!perms);
231 
232 	state = aa_dfa_match(policy->dfa, start, mntpnt);
233 	state = aa_dfa_null_transition(policy->dfa, state);
234 	if (!state)
235 		return 1;
236 
237 	if (devname)
238 		state = aa_dfa_match(policy->dfa, state, devname);
239 	state = aa_dfa_null_transition(policy->dfa, state);
240 	if (!state)
241 		return 2;
242 
243 	if (type)
244 		state = aa_dfa_match(policy->dfa, state, type);
245 	state = aa_dfa_null_transition(policy->dfa, state);
246 	if (!state)
247 		return 3;
248 
249 	state = match_mnt_flags(policy->dfa, state, flags);
250 	if (!state)
251 		return 4;
252 	*perms = *aa_lookup_perms(policy, state);
253 	if (perms->allow & AA_MAY_MOUNT)
254 		return 0;
255 
256 	/* only match data if not binary and the DFA flags data is expected */
257 	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
258 		state = aa_dfa_null_transition(policy->dfa, state);
259 		if (!state)
260 			return 4;
261 
262 		state = aa_dfa_match(policy->dfa, state, data);
263 		if (!state)
264 			return 5;
265 		*perms = *aa_lookup_perms(policy, state);
266 		if (perms->allow & AA_MAY_MOUNT)
267 			return 0;
268 	}
269 
270 	/* failed at perms check, don't confuse with flags match */
271 	return 6;
272 }
273 
274 
275 static int path_flags(struct aa_profile *profile, const struct path *path)
276 {
277 	AA_BUG(!profile);
278 	AA_BUG(!path);
279 
280 	return profile->path_flags |
281 		(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
282 }
283 
284 /**
285  * match_mnt_path_str - handle path matching for mount
286  * @profile: the confining profile
287  * @mntpath: for the mntpnt (NOT NULL)
288  * @buffer: buffer to be used to lookup mntpath
289  * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
290  * @type: string for the dev type (MAYBE NULL)
291  * @flags: mount flags to match
292  * @data: fs mount data (MAYBE NULL)
293  * @binary: whether @data is binary
294  * @devinfo: error str if (IS_ERR(@devname))
295  *
296  * Returns: 0 on success else error
297  */
298 static int match_mnt_path_str(struct aa_profile *profile,
299 			      const struct path *mntpath, char *buffer,
300 			      const char *devname, const char *type,
301 			      unsigned long flags, void *data, bool binary,
302 			      const char *devinfo)
303 {
304 	struct aa_perms perms = { };
305 	const char *mntpnt = NULL, *info = NULL;
306 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
307 						    typeof(*rules), list);
308 	int pos, error;
309 
310 	AA_BUG(!profile);
311 	AA_BUG(!mntpath);
312 	AA_BUG(!buffer);
313 
314 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
315 		return 0;
316 
317 	error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
318 			     &mntpnt, &info, profile->disconnected);
319 	if (error)
320 		goto audit;
321 	if (IS_ERR(devname)) {
322 		error = PTR_ERR(devname);
323 		devname = NULL;
324 		info = devinfo;
325 		goto audit;
326 	}
327 
328 	error = -EACCES;
329 	pos = do_match_mnt(&rules->policy,
330 			   rules->policy.start[AA_CLASS_MOUNT],
331 			   mntpnt, devname, type, flags, data, binary, &perms);
332 	if (pos) {
333 		info = mnt_info_table[pos];
334 		goto audit;
335 	}
336 	error = 0;
337 
338 audit:
339 	return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL,
340 			   flags, data, AA_MAY_MOUNT, &perms, info, error);
341 }
342 
343 /**
344  * match_mnt - handle path matching for mount
345  * @profile: the confining profile
346  * @path: for the mntpnt (NOT NULL)
347  * @buffer: buffer to be used to lookup mntpath
348  * @devpath: path devname/src_name (MAYBE NULL)
349  * @devbuffer: buffer to be used to lookup devname/src_name
350  * @type: string for the dev type (MAYBE NULL)
351  * @flags: mount flags to match
352  * @data: fs mount data (MAYBE NULL)
353  * @binary: whether @data is binary
354  *
355  * Returns: 0 on success else error
356  */
357 static int match_mnt(struct aa_profile *profile, const struct path *path,
358 		     char *buffer, const struct path *devpath, char *devbuffer,
359 		     const char *type, unsigned long flags, void *data,
360 		     bool binary)
361 {
362 	const char *devname = NULL, *info = NULL;
363 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
364 						    typeof(*rules), list);
365 	int error = -EACCES;
366 
367 	AA_BUG(!profile);
368 	AA_BUG(devpath && !devbuffer);
369 
370 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
371 		return 0;
372 
373 	if (devpath) {
374 		error = aa_path_name(devpath, path_flags(profile, devpath),
375 				     devbuffer, &devname, &info,
376 				     profile->disconnected);
377 		if (error)
378 			devname = ERR_PTR(error);
379 	}
380 
381 	return match_mnt_path_str(profile, path, buffer, devname, type, flags,
382 				  data, binary, info);
383 }
384 
385 int aa_remount(struct aa_label *label, const struct path *path,
386 	       unsigned long flags, void *data)
387 {
388 	struct aa_profile *profile;
389 	char *buffer = NULL;
390 	bool binary;
391 	int error;
392 
393 	AA_BUG(!label);
394 	AA_BUG(!path);
395 
396 	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
397 
398 	buffer = aa_get_buffer(false);
399 	if (!buffer)
400 		return -ENOMEM;
401 	error = fn_for_each_confined(label, profile,
402 			match_mnt(profile, path, buffer, NULL, NULL, NULL,
403 				  flags, data, binary));
404 	aa_put_buffer(buffer);
405 
406 	return error;
407 }
408 
409 int aa_bind_mount(struct aa_label *label, const struct path *path,
410 		  const char *dev_name, unsigned long flags)
411 {
412 	struct aa_profile *profile;
413 	char *buffer = NULL, *old_buffer = NULL;
414 	struct path old_path;
415 	int error;
416 
417 	AA_BUG(!label);
418 	AA_BUG(!path);
419 
420 	if (!dev_name || !*dev_name)
421 		return -EINVAL;
422 
423 	flags &= MS_REC | MS_BIND;
424 
425 	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
426 	if (error)
427 		return error;
428 
429 	buffer = aa_get_buffer(false);
430 	old_buffer = aa_get_buffer(false);
431 	error = -ENOMEM;
432 	if (!buffer || !old_buffer)
433 		goto out;
434 
435 	error = fn_for_each_confined(label, profile,
436 			match_mnt(profile, path, buffer, &old_path, old_buffer,
437 				  NULL, flags, NULL, false));
438 out:
439 	aa_put_buffer(buffer);
440 	aa_put_buffer(old_buffer);
441 	path_put(&old_path);
442 
443 	return error;
444 }
445 
446 int aa_mount_change_type(struct aa_label *label, const struct path *path,
447 			 unsigned long flags)
448 {
449 	struct aa_profile *profile;
450 	char *buffer = NULL;
451 	int error;
452 
453 	AA_BUG(!label);
454 	AA_BUG(!path);
455 
456 	/* These are the flags allowed by do_change_type() */
457 	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
458 		  MS_UNBINDABLE);
459 
460 	buffer = aa_get_buffer(false);
461 	if (!buffer)
462 		return -ENOMEM;
463 	error = fn_for_each_confined(label, profile,
464 			match_mnt(profile, path, buffer, NULL, NULL, NULL,
465 				  flags, NULL, false));
466 	aa_put_buffer(buffer);
467 
468 	return error;
469 }
470 
471 int aa_move_mount(struct aa_label *label, const struct path *path,
472 		  const char *orig_name)
473 {
474 	struct aa_profile *profile;
475 	char *buffer = NULL, *old_buffer = NULL;
476 	struct path old_path;
477 	int error;
478 
479 	AA_BUG(!label);
480 	AA_BUG(!path);
481 
482 	if (!orig_name || !*orig_name)
483 		return -EINVAL;
484 
485 	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
486 	if (error)
487 		return error;
488 
489 	buffer = aa_get_buffer(false);
490 	old_buffer = aa_get_buffer(false);
491 	error = -ENOMEM;
492 	if (!buffer || !old_buffer)
493 		goto out;
494 	error = fn_for_each_confined(label, profile,
495 			match_mnt(profile, path, buffer, &old_path, old_buffer,
496 				  NULL, MS_MOVE, NULL, false));
497 out:
498 	aa_put_buffer(buffer);
499 	aa_put_buffer(old_buffer);
500 	path_put(&old_path);
501 
502 	return error;
503 }
504 
505 int aa_new_mount(struct aa_label *label, const char *dev_name,
506 		 const struct path *path, const char *type, unsigned long flags,
507 		 void *data)
508 {
509 	struct aa_profile *profile;
510 	char *buffer = NULL, *dev_buffer = NULL;
511 	bool binary = true;
512 	int error;
513 	int requires_dev = 0;
514 	struct path tmp_path, *dev_path = NULL;
515 
516 	AA_BUG(!label);
517 	AA_BUG(!path);
518 
519 	if (type) {
520 		struct file_system_type *fstype;
521 
522 		fstype = get_fs_type(type);
523 		if (!fstype)
524 			return -ENODEV;
525 		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
526 		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
527 		put_filesystem(fstype);
528 
529 		if (requires_dev) {
530 			if (!dev_name || !*dev_name)
531 				return -ENOENT;
532 
533 			error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
534 			if (error)
535 				return error;
536 			dev_path = &tmp_path;
537 		}
538 	}
539 
540 	buffer = aa_get_buffer(false);
541 	if (!buffer) {
542 		error = -ENOMEM;
543 		goto out;
544 	}
545 	if (dev_path) {
546 		dev_buffer = aa_get_buffer(false);
547 		if (!dev_buffer) {
548 			error = -ENOMEM;
549 			goto out;
550 		}
551 		error = fn_for_each_confined(label, profile,
552 			match_mnt(profile, path, buffer, dev_path, dev_buffer,
553 				  type, flags, data, binary));
554 	} else {
555 		error = fn_for_each_confined(label, profile,
556 			match_mnt_path_str(profile, path, buffer, dev_name,
557 					   type, flags, data, binary, NULL));
558 	}
559 
560 out:
561 	aa_put_buffer(buffer);
562 	aa_put_buffer(dev_buffer);
563 	if (dev_path)
564 		path_put(dev_path);
565 
566 	return error;
567 }
568 
569 static int profile_umount(struct aa_profile *profile, const struct path *path,
570 			  char *buffer)
571 {
572 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
573 						    typeof(*rules), list);
574 	struct aa_perms perms = { };
575 	const char *name = NULL, *info = NULL;
576 	aa_state_t state;
577 	int error;
578 
579 	AA_BUG(!profile);
580 	AA_BUG(!path);
581 
582 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
583 		return 0;
584 
585 	error = aa_path_name(path, path_flags(profile, path), buffer, &name,
586 			     &info, profile->disconnected);
587 	if (error)
588 		goto audit;
589 
590 	state = aa_dfa_match(rules->policy.dfa,
591 			     rules->policy.start[AA_CLASS_MOUNT],
592 			     name);
593 	perms = *aa_lookup_perms(&rules->policy, state);
594 	if (AA_MAY_UMOUNT & ~perms.allow)
595 		error = -EACCES;
596 
597 audit:
598 	return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL,
599 			   AA_MAY_UMOUNT, &perms, info, error);
600 }
601 
602 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
603 {
604 	struct aa_profile *profile;
605 	char *buffer = NULL;
606 	int error;
607 	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
608 
609 	AA_BUG(!label);
610 	AA_BUG(!mnt);
611 
612 	buffer = aa_get_buffer(false);
613 	if (!buffer)
614 		return -ENOMEM;
615 
616 	error = fn_for_each_confined(label, profile,
617 			profile_umount(profile, &path, buffer));
618 	aa_put_buffer(buffer);
619 
620 	return error;
621 }
622 
623 /* helper fn for transition on pivotroot
624  *
625  * Returns: label for transition or ERR_PTR. Does not return NULL
626  */
627 static struct aa_label *build_pivotroot(struct aa_profile *profile,
628 					const struct path *new_path,
629 					char *new_buffer,
630 					const struct path *old_path,
631 					char *old_buffer)
632 {
633 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
634 						    typeof(*rules), list);
635 	const char *old_name, *new_name = NULL, *info = NULL;
636 	const char *trans_name = NULL;
637 	struct aa_perms perms = { };
638 	aa_state_t state;
639 	int error;
640 
641 	AA_BUG(!profile);
642 	AA_BUG(!new_path);
643 	AA_BUG(!old_path);
644 
645 	if (profile_unconfined(profile) ||
646 	    !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
647 		return aa_get_newest_label(&profile->label);
648 
649 	error = aa_path_name(old_path, path_flags(profile, old_path),
650 			     old_buffer, &old_name, &info,
651 			     profile->disconnected);
652 	if (error)
653 		goto audit;
654 	error = aa_path_name(new_path, path_flags(profile, new_path),
655 			     new_buffer, &new_name, &info,
656 			     profile->disconnected);
657 	if (error)
658 		goto audit;
659 
660 	error = -EACCES;
661 	state = aa_dfa_match(rules->policy.dfa,
662 			     rules->policy.start[AA_CLASS_MOUNT],
663 			     new_name);
664 	state = aa_dfa_null_transition(rules->policy.dfa, state);
665 	state = aa_dfa_match(rules->policy.dfa, state, old_name);
666 	perms = *aa_lookup_perms(&rules->policy, state);
667 
668 	if (AA_MAY_PIVOTROOT & perms.allow)
669 		error = 0;
670 
671 audit:
672 	error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name,
673 			    NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
674 			    &perms, info, error);
675 	if (error)
676 		return ERR_PTR(error);
677 
678 	return aa_get_newest_label(&profile->label);
679 }
680 
681 int aa_pivotroot(struct aa_label *label, const struct path *old_path,
682 		 const struct path *new_path)
683 {
684 	struct aa_profile *profile;
685 	struct aa_label *target = NULL;
686 	char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
687 	int error;
688 
689 	AA_BUG(!label);
690 	AA_BUG(!old_path);
691 	AA_BUG(!new_path);
692 
693 	old_buffer = aa_get_buffer(false);
694 	new_buffer = aa_get_buffer(false);
695 	error = -ENOMEM;
696 	if (!old_buffer || !new_buffer)
697 		goto out;
698 	target = fn_label_build(label, profile, GFP_KERNEL,
699 			build_pivotroot(profile, new_path, new_buffer,
700 					old_path, old_buffer));
701 	if (!target) {
702 		info = "label build failed";
703 		error = -ENOMEM;
704 		goto fail;
705 	} else if (!IS_ERR(target)) {
706 		error = aa_replace_current_label(target);
707 		if (error) {
708 			/* TODO: audit target */
709 			aa_put_label(target);
710 			goto out;
711 		}
712 		aa_put_label(target);
713 	} else
714 		/* already audited error */
715 		error = PTR_ERR(target);
716 out:
717 	aa_put_buffer(old_buffer);
718 	aa_put_buffer(new_buffer);
719 
720 	return error;
721 
722 fail:
723 	/* TODO: add back in auditing of new_name and old_name */
724 	error = fn_for_each(label, profile,
725 			audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */,
726 				    NULL /* old_name */,
727 				    NULL, NULL,
728 				    0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
729 				    error));
730 	goto out;
731 }
732