xref: /openbmc/linux/security/apparmor/mount.c (revision 2ae2e7cf)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor mediation of files
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2017 Canonical Ltd.
9  */
10 
11 #include <linux/fs.h>
12 #include <linux/mount.h>
13 #include <linux/namei.h>
14 #include <uapi/linux/mount.h>
15 
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/cred.h"
19 #include "include/domain.h"
20 #include "include/file.h"
21 #include "include/match.h"
22 #include "include/mount.h"
23 #include "include/path.h"
24 #include "include/policy.h"
25 
26 
27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
28 {
29 	if (flags & MS_RDONLY)
30 		audit_log_format(ab, "ro");
31 	else
32 		audit_log_format(ab, "rw");
33 	if (flags & MS_NOSUID)
34 		audit_log_format(ab, ", nosuid");
35 	if (flags & MS_NODEV)
36 		audit_log_format(ab, ", nodev");
37 	if (flags & MS_NOEXEC)
38 		audit_log_format(ab, ", noexec");
39 	if (flags & MS_SYNCHRONOUS)
40 		audit_log_format(ab, ", sync");
41 	if (flags & MS_REMOUNT)
42 		audit_log_format(ab, ", remount");
43 	if (flags & MS_MANDLOCK)
44 		audit_log_format(ab, ", mand");
45 	if (flags & MS_DIRSYNC)
46 		audit_log_format(ab, ", dirsync");
47 	if (flags & MS_NOATIME)
48 		audit_log_format(ab, ", noatime");
49 	if (flags & MS_NODIRATIME)
50 		audit_log_format(ab, ", nodiratime");
51 	if (flags & MS_BIND)
52 		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
53 	if (flags & MS_MOVE)
54 		audit_log_format(ab, ", move");
55 	if (flags & MS_SILENT)
56 		audit_log_format(ab, ", silent");
57 	if (flags & MS_POSIXACL)
58 		audit_log_format(ab, ", acl");
59 	if (flags & MS_UNBINDABLE)
60 		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
61 				 ", unbindable");
62 	if (flags & MS_PRIVATE)
63 		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
64 				 ", private");
65 	if (flags & MS_SLAVE)
66 		audit_log_format(ab, flags & MS_REC ? ", rslave" :
67 				 ", slave");
68 	if (flags & MS_SHARED)
69 		audit_log_format(ab, flags & MS_REC ? ", rshared" :
70 				 ", shared");
71 	if (flags & MS_RELATIME)
72 		audit_log_format(ab, ", relatime");
73 	if (flags & MS_I_VERSION)
74 		audit_log_format(ab, ", iversion");
75 	if (flags & MS_STRICTATIME)
76 		audit_log_format(ab, ", strictatime");
77 	if (flags & MS_NOUSER)
78 		audit_log_format(ab, ", nouser");
79 }
80 
81 /**
82  * audit_cb - call back for mount specific audit fields
83  * @ab: audit_buffer  (NOT NULL)
84  * @va: audit struct to audit values of  (NOT NULL)
85  */
86 static void audit_cb(struct audit_buffer *ab, void *va)
87 {
88 	struct common_audit_data *sa = va;
89 	struct apparmor_audit_data *ad = aad(sa);
90 
91 	if (ad->mnt.type) {
92 		audit_log_format(ab, " fstype=");
93 		audit_log_untrustedstring(ab, ad->mnt.type);
94 	}
95 	if (ad->mnt.src_name) {
96 		audit_log_format(ab, " srcname=");
97 		audit_log_untrustedstring(ab, ad->mnt.src_name);
98 	}
99 	if (ad->mnt.trans) {
100 		audit_log_format(ab, " trans=");
101 		audit_log_untrustedstring(ab, ad->mnt.trans);
102 	}
103 	if (ad->mnt.flags) {
104 		audit_log_format(ab, " flags=\"");
105 		audit_mnt_flags(ab, ad->mnt.flags);
106 		audit_log_format(ab, "\"");
107 	}
108 	if (ad->mnt.data) {
109 		audit_log_format(ab, " options=");
110 		audit_log_untrustedstring(ab, ad->mnt.data);
111 	}
112 }
113 
114 /**
115  * audit_mount - handle the auditing of mount operations
116  * @subj_cred: cred of the subject
117  * @profile: the profile being enforced  (NOT NULL)
118  * @op: operation being mediated (NOT NULL)
119  * @name: name of object being mediated (MAYBE NULL)
120  * @src_name: src_name of object being mediated (MAYBE_NULL)
121  * @type: type of filesystem (MAYBE_NULL)
122  * @trans: name of trans (MAYBE NULL)
123  * @flags: filesystem independent mount flags
124  * @data: filesystem mount flags
125  * @request: permissions requested
126  * @perms: the permissions computed for the request (NOT NULL)
127  * @info: extra information message (MAYBE NULL)
128  * @error: 0 if operation allowed else failure error code
129  *
130  * Returns: %0 or error on failure
131  */
132 static int audit_mount(const struct cred *subj_cred,
133 		       struct aa_profile *profile, const char *op,
134 		       const char *name, const char *src_name,
135 		       const char *type, const char *trans,
136 		       unsigned long flags, const void *data, u32 request,
137 		       struct aa_perms *perms, const char *info, int error)
138 {
139 	int audit_type = AUDIT_APPARMOR_AUTO;
140 	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
141 
142 	if (likely(!error)) {
143 		u32 mask = perms->audit;
144 
145 		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
146 			mask = 0xffff;
147 
148 		/* mask off perms that are not being force audited */
149 		request &= mask;
150 
151 		if (likely(!request))
152 			return 0;
153 		audit_type = AUDIT_APPARMOR_AUDIT;
154 	} else {
155 		/* only report permissions that were denied */
156 		request = request & ~perms->allow;
157 
158 		if (request & perms->kill)
159 			audit_type = AUDIT_APPARMOR_KILL;
160 
161 		/* quiet known rejects, assumes quiet and kill do not overlap */
162 		if ((request & perms->quiet) &&
163 		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
164 		    AUDIT_MODE(profile) != AUDIT_ALL)
165 			request &= ~perms->quiet;
166 
167 		if (!request)
168 			return error;
169 	}
170 
171 	ad.subj_cred = subj_cred;
172 	ad.name = name;
173 	ad.mnt.src_name = src_name;
174 	ad.mnt.type = type;
175 	ad.mnt.trans = trans;
176 	ad.mnt.flags = flags;
177 	if (data && (perms->audit & AA_AUDIT_DATA))
178 		ad.mnt.data = data;
179 	ad.info = info;
180 	ad.error = error;
181 
182 	return aa_audit(audit_type, profile, &ad, audit_cb);
183 }
184 
185 /**
186  * match_mnt_flags - Do an ordered match on mount flags
187  * @dfa: dfa to match against
188  * @state: state to start in
189  * @flags: mount flags to match against
190  *
191  * Mount flags are encoded as an ordered match. This is done instead of
192  * checking against a simple bitmask, to allow for logical operations
193  * on the flags.
194  *
195  * Returns: next state after flags match
196  */
197 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
198 				    unsigned long flags)
199 {
200 	unsigned int i;
201 
202 	for (i = 0; i <= 31 ; ++i) {
203 		if ((1 << i) & flags)
204 			state = aa_dfa_next(dfa, state, i + 1);
205 	}
206 
207 	return state;
208 }
209 
210 static const char * const mnt_info_table[] = {
211 	"match succeeded",
212 	"failed mntpnt match",
213 	"failed srcname match",
214 	"failed type match",
215 	"failed flags match",
216 	"failed data match",
217 	"failed perms check"
218 };
219 
220 /*
221  * Returns 0 on success else element that match failed in, this is the
222  * index into the mnt_info_table above
223  */
224 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
225 			const char *mntpnt, const char *devname,
226 			const char *type, unsigned long flags,
227 			void *data, bool binary, struct aa_perms *perms)
228 {
229 	aa_state_t state;
230 
231 	AA_BUG(!policy);
232 	AA_BUG(!policy->dfa);
233 	AA_BUG(!policy->perms);
234 	AA_BUG(!perms);
235 
236 	state = aa_dfa_match(policy->dfa, start, mntpnt);
237 	state = aa_dfa_null_transition(policy->dfa, state);
238 	if (!state)
239 		return 1;
240 
241 	if (devname)
242 		state = aa_dfa_match(policy->dfa, state, devname);
243 	state = aa_dfa_null_transition(policy->dfa, state);
244 	if (!state)
245 		return 2;
246 
247 	if (type)
248 		state = aa_dfa_match(policy->dfa, state, type);
249 	state = aa_dfa_null_transition(policy->dfa, state);
250 	if (!state)
251 		return 3;
252 
253 	state = match_mnt_flags(policy->dfa, state, flags);
254 	if (!state)
255 		return 4;
256 	*perms = *aa_lookup_perms(policy, state);
257 	if (perms->allow & AA_MAY_MOUNT)
258 		return 0;
259 
260 	/* only match data if not binary and the DFA flags data is expected */
261 	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
262 		state = aa_dfa_null_transition(policy->dfa, state);
263 		if (!state)
264 			return 4;
265 
266 		state = aa_dfa_match(policy->dfa, state, data);
267 		if (!state)
268 			return 5;
269 		*perms = *aa_lookup_perms(policy, state);
270 		if (perms->allow & AA_MAY_MOUNT)
271 			return 0;
272 	}
273 
274 	/* failed at perms check, don't confuse with flags match */
275 	return 6;
276 }
277 
278 
279 static int path_flags(struct aa_profile *profile, const struct path *path)
280 {
281 	AA_BUG(!profile);
282 	AA_BUG(!path);
283 
284 	return profile->path_flags |
285 		(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
286 }
287 
288 /**
289  * match_mnt_path_str - handle path matching for mount
290  * @subj_cred: cred of confined subject
291  * @profile: the confining profile
292  * @mntpath: for the mntpnt (NOT NULL)
293  * @buffer: buffer to be used to lookup mntpath
294  * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
295  * @type: string for the dev type (MAYBE NULL)
296  * @flags: mount flags to match
297  * @data: fs mount data (MAYBE NULL)
298  * @binary: whether @data is binary
299  * @devinfo: error str if (IS_ERR(@devname))
300  *
301  * Returns: 0 on success else error
302  */
303 static int match_mnt_path_str(const struct cred *subj_cred,
304 			      struct aa_profile *profile,
305 			      const struct path *mntpath, char *buffer,
306 			      const char *devname, const char *type,
307 			      unsigned long flags, void *data, bool binary,
308 			      const char *devinfo)
309 {
310 	struct aa_perms perms = { };
311 	const char *mntpnt = NULL, *info = NULL;
312 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
313 						    typeof(*rules), list);
314 	int pos, error;
315 
316 	AA_BUG(!profile);
317 	AA_BUG(!mntpath);
318 	AA_BUG(!buffer);
319 
320 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
321 		return 0;
322 
323 	error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
324 			     &mntpnt, &info, profile->disconnected);
325 	if (error)
326 		goto audit;
327 	if (IS_ERR(devname)) {
328 		error = PTR_ERR(devname);
329 		devname = NULL;
330 		info = devinfo;
331 		goto audit;
332 	}
333 
334 	error = -EACCES;
335 	pos = do_match_mnt(&rules->policy,
336 			   rules->policy.start[AA_CLASS_MOUNT],
337 			   mntpnt, devname, type, flags, data, binary, &perms);
338 	if (pos) {
339 		info = mnt_info_table[pos];
340 		goto audit;
341 	}
342 	error = 0;
343 
344 audit:
345 	return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname,
346 			   type, NULL,
347 			   flags, data, AA_MAY_MOUNT, &perms, info, error);
348 }
349 
350 /**
351  * match_mnt - handle path matching for mount
352  * @subj_cred: cred of the subject
353  * @profile: the confining profile
354  * @path: for the mntpnt (NOT NULL)
355  * @buffer: buffer to be used to lookup mntpath
356  * @devpath: path devname/src_name (MAYBE NULL)
357  * @devbuffer: buffer to be used to lookup devname/src_name
358  * @type: string for the dev type (MAYBE NULL)
359  * @flags: mount flags to match
360  * @data: fs mount data (MAYBE NULL)
361  * @binary: whether @data is binary
362  *
363  * Returns: 0 on success else error
364  */
365 static int match_mnt(const struct cred *subj_cred,
366 		     struct aa_profile *profile, const struct path *path,
367 		     char *buffer, const struct path *devpath, char *devbuffer,
368 		     const char *type, unsigned long flags, void *data,
369 		     bool binary)
370 {
371 	const char *devname = NULL, *info = NULL;
372 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
373 						    typeof(*rules), list);
374 	int error = -EACCES;
375 
376 	AA_BUG(!profile);
377 	AA_BUG(devpath && !devbuffer);
378 
379 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
380 		return 0;
381 
382 	if (devpath) {
383 		error = aa_path_name(devpath, path_flags(profile, devpath),
384 				     devbuffer, &devname, &info,
385 				     profile->disconnected);
386 		if (error)
387 			devname = ERR_PTR(error);
388 	}
389 
390 	return match_mnt_path_str(subj_cred, profile, path, buffer, devname,
391 				  type, flags, data, binary, info);
392 }
393 
394 int aa_remount(const struct cred *subj_cred,
395 	       struct aa_label *label, const struct path *path,
396 	       unsigned long flags, void *data)
397 {
398 	struct aa_profile *profile;
399 	char *buffer = NULL;
400 	bool binary;
401 	int error;
402 
403 	AA_BUG(!label);
404 	AA_BUG(!path);
405 
406 	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
407 
408 	buffer = aa_get_buffer(false);
409 	if (!buffer)
410 		return -ENOMEM;
411 	error = fn_for_each_confined(label, profile,
412 			match_mnt(subj_cred, profile, path, buffer, NULL,
413 				  NULL, NULL,
414 				  flags, data, binary));
415 	aa_put_buffer(buffer);
416 
417 	return error;
418 }
419 
420 int aa_bind_mount(const struct cred *subj_cred,
421 		  struct aa_label *label, const struct path *path,
422 		  const char *dev_name, unsigned long flags)
423 {
424 	struct aa_profile *profile;
425 	char *buffer = NULL, *old_buffer = NULL;
426 	struct path old_path;
427 	int error;
428 
429 	AA_BUG(!label);
430 	AA_BUG(!path);
431 
432 	if (!dev_name || !*dev_name)
433 		return -EINVAL;
434 
435 	flags &= MS_REC | MS_BIND;
436 
437 	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
438 	if (error)
439 		return error;
440 
441 	buffer = aa_get_buffer(false);
442 	old_buffer = aa_get_buffer(false);
443 	error = -ENOMEM;
444 	if (!buffer || !old_buffer)
445 		goto out;
446 
447 	error = fn_for_each_confined(label, profile,
448 			match_mnt(subj_cred, profile, path, buffer, &old_path,
449 				  old_buffer, NULL, flags, NULL, false));
450 out:
451 	aa_put_buffer(buffer);
452 	aa_put_buffer(old_buffer);
453 	path_put(&old_path);
454 
455 	return error;
456 }
457 
458 int aa_mount_change_type(const struct cred *subj_cred,
459 			 struct aa_label *label, const struct path *path,
460 			 unsigned long flags)
461 {
462 	struct aa_profile *profile;
463 	char *buffer = NULL;
464 	int error;
465 
466 	AA_BUG(!label);
467 	AA_BUG(!path);
468 
469 	/* These are the flags allowed by do_change_type() */
470 	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
471 		  MS_UNBINDABLE);
472 
473 	buffer = aa_get_buffer(false);
474 	if (!buffer)
475 		return -ENOMEM;
476 	error = fn_for_each_confined(label, profile,
477 			match_mnt(subj_cred, profile, path, buffer, NULL,
478 				  NULL, NULL,
479 				  flags, NULL, false));
480 	aa_put_buffer(buffer);
481 
482 	return error;
483 }
484 
485 int aa_move_mount(const struct cred *subj_cred,
486 		  struct aa_label *label, const struct path *from_path,
487 		  const struct path *to_path)
488 {
489 	struct aa_profile *profile;
490 	char *to_buffer = NULL, *from_buffer = NULL;
491 	int error;
492 
493 	AA_BUG(!label);
494 	AA_BUG(!from_path);
495 	AA_BUG(!to_path);
496 
497 	to_buffer = aa_get_buffer(false);
498 	from_buffer = aa_get_buffer(false);
499 	error = -ENOMEM;
500 	if (!to_buffer || !from_buffer)
501 		goto out;
502 
503 	if (!our_mnt(from_path->mnt))
504 		/* moving a mount detached from the namespace */
505 		from_path = NULL;
506 	error = fn_for_each_confined(label, profile,
507 			match_mnt(subj_cred, profile, to_path, to_buffer,
508 				  from_path, from_buffer,
509 				  NULL, MS_MOVE, NULL, false));
510 out:
511 	aa_put_buffer(to_buffer);
512 	aa_put_buffer(from_buffer);
513 
514 	return error;
515 }
516 
517 int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label,
518 		      const struct path *path, const char *orig_name)
519 {
520 	struct path old_path;
521 	int error;
522 
523 	if (!orig_name || !*orig_name)
524 		return -EINVAL;
525 	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
526 	if (error)
527 		return error;
528 
529 	error = aa_move_mount(subj_cred, label, &old_path, path);
530 	path_put(&old_path);
531 
532 	return error;
533 }
534 
535 int aa_new_mount(const struct cred *subj_cred, struct aa_label *label,
536 		 const char *dev_name, const struct path *path,
537 		 const char *type, unsigned long flags, void *data)
538 {
539 	struct aa_profile *profile;
540 	char *buffer = NULL, *dev_buffer = NULL;
541 	bool binary = true;
542 	int error;
543 	int requires_dev = 0;
544 	struct path tmp_path, *dev_path = NULL;
545 
546 	AA_BUG(!label);
547 	AA_BUG(!path);
548 
549 	if (type) {
550 		struct file_system_type *fstype;
551 
552 		fstype = get_fs_type(type);
553 		if (!fstype)
554 			return -ENODEV;
555 		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
556 		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
557 		put_filesystem(fstype);
558 
559 		if (requires_dev) {
560 			if (!dev_name || !*dev_name)
561 				return -ENOENT;
562 
563 			error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
564 			if (error)
565 				return error;
566 			dev_path = &tmp_path;
567 		}
568 	}
569 
570 	buffer = aa_get_buffer(false);
571 	if (!buffer) {
572 		error = -ENOMEM;
573 		goto out;
574 	}
575 	if (dev_path) {
576 		dev_buffer = aa_get_buffer(false);
577 		if (!dev_buffer) {
578 			error = -ENOMEM;
579 			goto out;
580 		}
581 		error = fn_for_each_confined(label, profile,
582 				match_mnt(subj_cred, profile, path, buffer,
583 					  dev_path, dev_buffer,
584 				  type, flags, data, binary));
585 	} else {
586 		error = fn_for_each_confined(label, profile,
587 				match_mnt_path_str(subj_cred, profile, path,
588 					buffer, dev_name,
589 					type, flags, data, binary, NULL));
590 	}
591 
592 out:
593 	aa_put_buffer(buffer);
594 	aa_put_buffer(dev_buffer);
595 	if (dev_path)
596 		path_put(dev_path);
597 
598 	return error;
599 }
600 
601 static int profile_umount(const struct cred *subj_cred,
602 			  struct aa_profile *profile, const struct path *path,
603 			  char *buffer)
604 {
605 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
606 						    typeof(*rules), list);
607 	struct aa_perms perms = { };
608 	const char *name = NULL, *info = NULL;
609 	aa_state_t state;
610 	int error;
611 
612 	AA_BUG(!profile);
613 	AA_BUG(!path);
614 
615 	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
616 		return 0;
617 
618 	error = aa_path_name(path, path_flags(profile, path), buffer, &name,
619 			     &info, profile->disconnected);
620 	if (error)
621 		goto audit;
622 
623 	state = aa_dfa_match(rules->policy.dfa,
624 			     rules->policy.start[AA_CLASS_MOUNT],
625 			     name);
626 	perms = *aa_lookup_perms(&rules->policy, state);
627 	if (AA_MAY_UMOUNT & ~perms.allow)
628 		error = -EACCES;
629 
630 audit:
631 	return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
632 			   NULL, 0, NULL,
633 			   AA_MAY_UMOUNT, &perms, info, error);
634 }
635 
636 int aa_umount(const struct cred *subj_cred, struct aa_label *label,
637 	      struct vfsmount *mnt, int flags)
638 {
639 	struct aa_profile *profile;
640 	char *buffer = NULL;
641 	int error;
642 	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
643 
644 	AA_BUG(!label);
645 	AA_BUG(!mnt);
646 
647 	buffer = aa_get_buffer(false);
648 	if (!buffer)
649 		return -ENOMEM;
650 
651 	error = fn_for_each_confined(label, profile,
652 			profile_umount(subj_cred, profile, &path, buffer));
653 	aa_put_buffer(buffer);
654 
655 	return error;
656 }
657 
658 /* helper fn for transition on pivotroot
659  *
660  * Returns: label for transition or ERR_PTR. Does not return NULL
661  */
662 static struct aa_label *build_pivotroot(const struct cred *subj_cred,
663 					struct aa_profile *profile,
664 					const struct path *new_path,
665 					char *new_buffer,
666 					const struct path *old_path,
667 					char *old_buffer)
668 {
669 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
670 						    typeof(*rules), list);
671 	const char *old_name, *new_name = NULL, *info = NULL;
672 	const char *trans_name = NULL;
673 	struct aa_perms perms = { };
674 	aa_state_t state;
675 	int error;
676 
677 	AA_BUG(!profile);
678 	AA_BUG(!new_path);
679 	AA_BUG(!old_path);
680 
681 	if (profile_unconfined(profile) ||
682 	    !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
683 		return aa_get_newest_label(&profile->label);
684 
685 	error = aa_path_name(old_path, path_flags(profile, old_path),
686 			     old_buffer, &old_name, &info,
687 			     profile->disconnected);
688 	if (error)
689 		goto audit;
690 	error = aa_path_name(new_path, path_flags(profile, new_path),
691 			     new_buffer, &new_name, &info,
692 			     profile->disconnected);
693 	if (error)
694 		goto audit;
695 
696 	error = -EACCES;
697 	state = aa_dfa_match(rules->policy.dfa,
698 			     rules->policy.start[AA_CLASS_MOUNT],
699 			     new_name);
700 	state = aa_dfa_null_transition(rules->policy.dfa, state);
701 	state = aa_dfa_match(rules->policy.dfa, state, old_name);
702 	perms = *aa_lookup_perms(&rules->policy, state);
703 
704 	if (AA_MAY_PIVOTROOT & perms.allow)
705 		error = 0;
706 
707 audit:
708 	error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name,
709 			    old_name,
710 			    NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
711 			    &perms, info, error);
712 	if (error)
713 		return ERR_PTR(error);
714 
715 	return aa_get_newest_label(&profile->label);
716 }
717 
718 int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label,
719 		 const struct path *old_path,
720 		 const struct path *new_path)
721 {
722 	struct aa_profile *profile;
723 	struct aa_label *target = NULL;
724 	char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
725 	int error;
726 
727 	AA_BUG(!label);
728 	AA_BUG(!old_path);
729 	AA_BUG(!new_path);
730 
731 	old_buffer = aa_get_buffer(false);
732 	new_buffer = aa_get_buffer(false);
733 	error = -ENOMEM;
734 	if (!old_buffer || !new_buffer)
735 		goto out;
736 	target = fn_label_build(label, profile, GFP_KERNEL,
737 			build_pivotroot(subj_cred, profile, new_path,
738 					new_buffer,
739 					old_path, old_buffer));
740 	if (!target) {
741 		info = "label build failed";
742 		error = -ENOMEM;
743 		goto fail;
744 	} else if (!IS_ERR(target)) {
745 		error = aa_replace_current_label(target);
746 		if (error) {
747 			/* TODO: audit target */
748 			aa_put_label(target);
749 			goto out;
750 		}
751 		aa_put_label(target);
752 	} else
753 		/* already audited error */
754 		error = PTR_ERR(target);
755 out:
756 	aa_put_buffer(old_buffer);
757 	aa_put_buffer(new_buffer);
758 
759 	return error;
760 
761 fail:
762 	/* TODO: add back in auditing of new_name and old_name */
763 	error = fn_for_each(label, profile,
764 			audit_mount(subj_cred, profile, OP_PIVOTROOT,
765 				    NULL /*new_name */,
766 				    NULL /* old_name */,
767 				    NULL, NULL,
768 				    0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
769 				    error));
770 	goto out;
771 }
772