mount.c source code [linux/security/apparmor/mount.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* AppArmor security module
4	*
5	* This file contains AppArmor mediation of files
6	*
7	* Copyright (C) 1998-2008 Novell/SUSE
8	* Copyright 2009-2017 Canonical Ltd.
9	*/
10
11	#include <linux/fs.h>
12	#include <linux/mount.h>
13	#include <linux/namei.h>
14	#include <uapi/linux/mount.h>
15
16	#include "include/apparmor.h"
17	#include "include/audit.h"
18	#include "include/cred.h"
19	#include "include/domain.h"
20	#include "include/file.h"
21	#include "include/match.h"
22	#include "include/mount.h"
23	#include "include/path.h"
24	#include "include/policy.h"
25
26
27	static void audit_mnt_flags(struct audit_buffer ab, unsigned* long flags)
28	{
29	if (flags & MS_RDONLY)
30	audit_log_format(ab, fmt: "ro");
31	else
32	audit_log_format(ab, fmt: "rw");
33	if (flags & MS_NOSUID)
34	audit_log_format(ab, fmt: ", nosuid");
35	if (flags & MS_NODEV)
36	audit_log_format(ab, fmt: ", nodev");
37	if (flags & MS_NOEXEC)
38	audit_log_format(ab, fmt: ", noexec");
39	if (flags & MS_SYNCHRONOUS)
40	audit_log_format(ab, fmt: ", sync");
41	if (flags & MS_REMOUNT)
42	audit_log_format(ab, fmt: ", remount");
43	if (flags & MS_MANDLOCK)
44	audit_log_format(ab, fmt: ", mand");
45	if (flags & MS_DIRSYNC)
46	audit_log_format(ab, fmt: ", dirsync");
47	if (flags & MS_NOATIME)
48	audit_log_format(ab, fmt: ", noatime");
49	if (flags & MS_NODIRATIME)
50	audit_log_format(ab, fmt: ", nodiratime");
51	if (flags & MS_BIND)
52	audit_log_format(ab, fmt: flags & MS_REC ? ", rbind" : ", bind");
53	if (flags & MS_MOVE)
54	audit_log_format(ab, fmt: ", move");
55	if (flags & MS_SILENT)
56	audit_log_format(ab, fmt: ", silent");
57	if (flags & MS_POSIXACL)
58	audit_log_format(ab, fmt: ", acl");
59	if (flags & MS_UNBINDABLE)
60	audit_log_format(ab, fmt: flags & MS_REC ? ", runbindable" :
61	", unbindable");
62	if (flags & MS_PRIVATE)
63	audit_log_format(ab, fmt: flags & MS_REC ? ", rprivate" :
64	", private");
65	if (flags & MS_SLAVE)
66	audit_log_format(ab, fmt: flags & MS_REC ? ", rslave" :
67	", slave");
68	if (flags & MS_SHARED)
69	audit_log_format(ab, fmt: flags & MS_REC ? ", rshared" :
70	", shared");
71	if (flags & MS_RELATIME)
72	audit_log_format(ab, fmt: ", relatime");
73	if (flags & MS_I_VERSION)
74	audit_log_format(ab, fmt: ", iversion");
75	if (flags & MS_STRICTATIME)
76	audit_log_format(ab, fmt: ", strictatime");
77	if (flags & MS_NOUSER)
78	audit_log_format(ab, fmt: ", nouser");
79	}
80
81	/**
82	* audit_cb - call back for mount specific audit fields
83	* @ab: audit_buffer (NOT NULL)
84	* @va: audit struct to audit values of (NOT NULL)
85	*/
86	static void audit_cb(struct audit_buffer ab, void* *va)
87	{
88	struct common_audit_data *sa = va;
89	struct apparmor_audit_data *ad = aad(sa);
90
91	if (ad->mnt.type) {
92	audit_log_format(ab, fmt: " fstype=");
93	audit_log_untrustedstring(ab, string: ad->mnt.type);
94	}
95	if (ad->mnt.src_name) {
96	audit_log_format(ab, fmt: " srcname=");
97	audit_log_untrustedstring(ab, string: ad->mnt.src_name);
98	}
99	if (ad->mnt.trans) {
100	audit_log_format(ab, fmt: " trans=");
101	audit_log_untrustedstring(ab, string: ad->mnt.trans);
102	}
103	if (ad->mnt.flags) {
104	audit_log_format(ab, fmt: " flags=\"");
105	audit_mnt_flags(ab, flags: ad->mnt.flags);
106	audit_log_format(ab, fmt: "\"");
107	}
108	if (ad->mnt.data) {
109	audit_log_format(ab, fmt: " options=");
110	audit_log_untrustedstring(ab, string: ad->mnt.data);
111	}
112	}
113
114	/**
115	* audit_mount - handle the auditing of mount operations
116	* @subj_cred: cred of the subject
117	* @profile: the profile being enforced (NOT NULL)
118	* @op: operation being mediated (NOT NULL)
119	* @name: name of object being mediated (MAYBE NULL)
120	* @src_name: src_name of object being mediated (MAYBE_NULL)
121	* @type: type of filesystem (MAYBE_NULL)
122	* @trans: name of trans (MAYBE NULL)
123	* @flags: filesystem independent mount flags
124	* @data: filesystem mount flags
125	* @request: permissions requested
126	* @perms: the permissions computed for the request (NOT NULL)
127	* @info: extra information message (MAYBE NULL)
128	* @error: 0 if operation allowed else failure error code
129	*
130	* Returns: %0 or error on failure
131	*/
132	static int audit_mount(const struct cred *subj_cred,
133	struct aa_profile profile, const* char *op,
134	const char name, const* char *src_name,
135	const char type, const* char *trans,
136	unsigned long flags, const void *data, u32 request,
137	struct aa_perms perms, const* char info, int* error)
138	{
139	int audit_type = AUDIT_APPARMOR_AUTO;
140	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
141
142	if (likely(!error)) {
143	u32 mask = perms->audit;
144
145	if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
146	mask = `0xffff`;
147
148	/ mask off perms that are not being force audited /
149	request &= mask;
150
151	if (likely(!request))
152	return `0`;
153	audit_type = AUDIT_APPARMOR_AUDIT;
154	} else {
155	/ only report permissions that were denied /
156	request = request & ~perms->allow;
157
158	if (request & perms->kill)
159	audit_type = AUDIT_APPARMOR_KILL;
160
161	/ quiet known rejects, assumes quiet and kill do not overlap /
162	if ((request & perms->quiet) &&
163	AUDIT_MODE(profile) != AUDIT_NOQUIET &&
164	AUDIT_MODE(profile) != AUDIT_ALL)
165	request &= ~perms->quiet;
166
167	if (!request)
168	return error;
169	}
170
171	ad.subj_cred = subj_cred;
172	ad.name = name;
173	ad.mnt.src_name = src_name;
174	ad.mnt.type = type;
175	ad.mnt.trans = trans;
176	ad.mnt.flags = flags;
177	if (data && (perms->audit & AA_AUDIT_DATA))
178	ad.mnt.data = data;
179	ad.info = info;
180	ad.error = error;
181
182	return aa_audit(type: audit_type, profile, ad: &ad, cb: audit_cb);
183	}
184
185	/**
186	* match_mnt_flags - Do an ordered match on mount flags
187	* @dfa: dfa to match against
188	* @state: state to start in
189	* @flags: mount flags to match against
190	*
191	* Mount flags are encoded as an ordered match. This is done instead of
192	* checking against a simple bitmask, to allow for logical operations
193	* on the flags.
194	*
195	* Returns: next state after flags match
196	*/
197	static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
198	unsigned long flags)
199	{
200	unsigned int i;
201
202	for (i = `0`; i <= `31` ; ++i) {
203	if ((`1` << i) & flags)
204	state = aa_dfa_next(dfa, state, c: i + `1`);
205	}
206
207	return state;
208	}
209
210	static const char * const mnt_info_table[] = {
211	"match succeeded",
212	"failed mntpnt match",
213	"failed srcname match",
214	"failed type match",
215	"failed flags match",
216	"failed data match",
217	"failed perms check"
218	};
219
220	/*
221	* Returns 0 on success else element that match failed in, this is the
222	* index into the mnt_info_table above
223	*/
224	static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
225	const char mntpnt, const* char *devname,
226	const char type, unsigned* long flags,
227	void data, bool binary, struct* aa_perms *perms)
228	{
229	aa_state_t state;
230
231	AA_BUG(!policy);
232	AA_BUG(!policy->dfa);
233	AA_BUG(!policy->perms);
234	AA_BUG(!perms);
235
236	state = aa_dfa_match(dfa: policy->dfa, start, str: mntpnt);
237	state = aa_dfa_null_transition(dfa: policy->dfa, start: state);
238	if (!state)
239	return `1`;
240
241	if (devname)
242	state = aa_dfa_match(dfa: policy->dfa, start: state, str: devname);
243	state = aa_dfa_null_transition(dfa: policy->dfa, start: state);
244	if (!state)
245	return `2`;
246
247	if (type)
248	state = aa_dfa_match(dfa: policy->dfa, start: state, str: type);
249	state = aa_dfa_null_transition(dfa: policy->dfa, start: state);
250	if (!state)
251	return `3`;
252
253	state = match_mnt_flags(dfa: policy->dfa, state, flags);
254	if (!state)
255	return `4`;
256	perms = aa_lookup_perms(policy, state);
257	if (perms->allow & AA_MAY_MOUNT)
258	return `0`;
259
260	/ only match data if not binary and the DFA flags data is expected /
261	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
262	state = aa_dfa_null_transition(dfa: policy->dfa, start: state);
263	if (!state)
264	return `4`;
265
266	state = aa_dfa_match(dfa: policy->dfa, start: state, str: data);
267	if (!state)
268	return `5`;
269	perms = aa_lookup_perms(policy, state);
270	if (perms->allow & AA_MAY_MOUNT)
271	return `0`;
272	}
273
274	/ failed at perms check, don't confuse with flags match /
275	return `6`;
276	}
277
278
279	static int path_flags(struct aa_profile profile, const* struct path *path)
280	{
281	AA_BUG(!profile);
282	AA_BUG(!path);
283
284	return profile->path_flags \|
285	(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : `0`);
286	}
287
288	/**
289	* match_mnt_path_str - handle path matching for mount
290	* @subj_cred: cred of confined subject
291	* @profile: the confining profile
292	* @mntpath: for the mntpnt (NOT NULL)
293	* @buffer: buffer to be used to lookup mntpath
294	* @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
295	* @type: string for the dev type (MAYBE NULL)
296	* @flags: mount flags to match
297	* @data: fs mount data (MAYBE NULL)
298	* @binary: whether @data is binary
299	* @devinfo: error str if (IS_ERR(@devname))
300	*
301	* Returns: 0 on success else error
302	*/
303	static int match_mnt_path_str(const struct cred *subj_cred,
304	struct aa_profile *profile,
305	const struct path mntpath, char* *buffer,
306	const char devname, const* char *type,
307	unsigned long flags, void *data, bool binary,
308	const char *devinfo)
309	{
310	struct aa_perms perms = { };
311	const char mntpnt = NULL, info = NULL;
312	struct aa_ruleset *rules = list_first_entry(&profile->rules,
313	typeof(*rules), list);
314	int pos, error;
315
316	AA_BUG(!profile);
317	AA_BUG(!mntpath);
318	AA_BUG(!buffer);
319
320	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
321	return `0`;
322
323	error = aa_path_name(path: mntpath, flags: path_flags(profile, path: mntpath), buffer,
324	name: &mntpnt, info: &info, disconnected: profile->disconnected);
325	if (error)
326	goto audit;
327	if (IS_ERR(ptr: devname)) {
328	error = PTR_ERR(ptr: devname);
329	devname = NULL;
330	info = devinfo;
331	goto audit;
332	}
333
334	error = -EACCES;
335	pos = do_match_mnt(policy: rules->policy,
336	start: rules->policy->start[AA_CLASS_MOUNT],
337	mntpnt, devname, type, flags, data, binary, perms: &perms);
338	if (pos) {
339	info = mnt_info_table[pos];
340	goto audit;
341	}
342	error = `0`;
343
344	audit:
345	return audit_mount(subj_cred, profile, OP_MOUNT, name: mntpnt, src_name: devname,
346	type, NULL,
347	flags, data, AA_MAY_MOUNT, perms: &perms, info, error);
348	}
349
350	/**
351	* match_mnt - handle path matching for mount
352	* @subj_cred: cred of the subject
353	* @profile: the confining profile
354	* @path: for the mntpnt (NOT NULL)
355	* @buffer: buffer to be used to lookup mntpath
356	* @devpath: path devname/src_name (MAYBE NULL)
357	* @devbuffer: buffer to be used to lookup devname/src_name
358	* @type: string for the dev type (MAYBE NULL)
359	* @flags: mount flags to match
360	* @data: fs mount data (MAYBE NULL)
361	* @binary: whether @data is binary
362	*
363	* Returns: 0 on success else error
364	*/
365	static int match_mnt(const struct cred *subj_cred,
366	struct aa_profile profile, const* struct path *path,
367	char buffer, const* struct path devpath, char* *devbuffer,
368	const char type, unsigned* long flags, void *data,
369	bool binary)
370	{
371	const char devname = NULL, info = NULL;
372	struct aa_ruleset *rules = list_first_entry(&profile->rules,
373	typeof(*rules), list);
374	int error = -EACCES;
375
376	AA_BUG(!profile);
377	AA_BUG(devpath && !devbuffer);
378
379	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
380	return `0`;
381
382	if (devpath) {
383	error = aa_path_name(path: devpath, flags: path_flags(profile, path: devpath),
384	buffer: devbuffer, name: &devname, info: &info,
385	disconnected: profile->disconnected);
386	if (error)
387	devname = ERR_PTR(error);
388	}
389
390	return match_mnt_path_str(subj_cred, profile, mntpath: path, buffer, devname,
391	type, flags, data, binary, devinfo: info);
392	}
393
394	int aa_remount(const struct cred *subj_cred,
395	struct aa_label label, const* struct path *path,
396	unsigned long flags, void *data)
397	{
398	struct aa_profile *profile;
399	char *buffer = NULL;
400	bool binary;
401	int error;
402
403	AA_BUG(!label);
404	AA_BUG(!path);
405
406	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
407
408	buffer = aa_get_buffer(in_atomic: false);
409	if (!buffer)
410	return -ENOMEM;
411	error = fn_for_each_confined(label, profile,
412	match_mnt(subj_cred, profile, path, buffer, NULL,
413	NULL, NULL,
414	flags, data, binary));
415	aa_put_buffer(buf: buffer);
416
417	return error;
418	}
419
420	int aa_bind_mount(const struct cred *subj_cred,
421	struct aa_label label, const* struct path *path,
422	const char dev_name, unsigned* long flags)
423	{
424	struct aa_profile *profile;
425	char buffer = NULL, old_buffer = NULL;
426	struct path old_path;
427	int error;
428
429	AA_BUG(!label);
430	AA_BUG(!path);
431
432	if (!dev_name \|\| !*dev_name)
433	return -EINVAL;
434
435	flags &= MS_REC \| MS_BIND;
436
437	error = kern_path(dev_name, LOOKUP_FOLLOW\|LOOKUP_AUTOMOUNT, &old_path);
438	if (error)
439	return error;
440
441	buffer = aa_get_buffer(in_atomic: false);
442	old_buffer = aa_get_buffer(in_atomic: false);
443	error = -ENOMEM;
444	if (!buffer \|\| !old_buffer)
445	goto out;
446
447	error = fn_for_each_confined(label, profile,
448	match_mnt(subj_cred, profile, path, buffer, &old_path,
449	old_buffer, NULL, flags, NULL, false));
450	out:
451	aa_put_buffer(buf: buffer);
452	aa_put_buffer(buf: old_buffer);
453	path_put(&old_path);
454
455	return error;
456	}
457
458	int aa_mount_change_type(const struct cred *subj_cred,
459	struct aa_label label, const* struct path *path,
460	unsigned long flags)
461	{
462	struct aa_profile *profile;
463	char *buffer = NULL;
464	int error;
465
466	AA_BUG(!label);
467	AA_BUG(!path);
468
469	/ These are the flags allowed by do_change_type() /
470	flags &= (MS_REC \| MS_SILENT \| MS_SHARED \| MS_PRIVATE \| MS_SLAVE \|
471	MS_UNBINDABLE);
472
473	buffer = aa_get_buffer(in_atomic: false);
474	if (!buffer)
475	return -ENOMEM;
476	error = fn_for_each_confined(label, profile,
477	match_mnt(subj_cred, profile, path, buffer, NULL,
478	NULL, NULL,
479	flags, NULL, false));
480	aa_put_buffer(buf: buffer);
481
482	return error;
483	}
484
485	int aa_move_mount(const struct cred *subj_cred,
486	struct aa_label label, const* struct path *from_path,
487	const struct path *to_path)
488	{
489	struct aa_profile *profile;
490	char to_buffer = NULL, from_buffer = NULL;
491	int error;
492
493	AA_BUG(!label);
494	AA_BUG(!from_path);
495	AA_BUG(!to_path);
496
497	to_buffer = aa_get_buffer(in_atomic: false);
498	from_buffer = aa_get_buffer(in_atomic: false);
499	error = -ENOMEM;
500	if (!to_buffer \|\| !from_buffer)
501	goto out;
502
503	if (!our_mnt(mnt: from_path->mnt))
504	/ moving a mount detached from the namespace /
505	from_path = NULL;
506	error = fn_for_each_confined(label, profile,
507	match_mnt(subj_cred, profile, to_path, to_buffer,
508	from_path, from_buffer,
509	NULL, MS_MOVE, NULL, false));
510	out:
511	aa_put_buffer(buf: to_buffer);
512	aa_put_buffer(buf: from_buffer);
513
514	return error;
515	}
516
517	int aa_move_mount_old(const struct cred subj_cred, struct* aa_label *label,
518	const struct path path, const* char *orig_name)
519	{
520	struct path old_path;
521	int error;
522
523	if (!orig_name \|\| !*orig_name)
524	return -EINVAL;
525	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
526	if (error)
527	return error;
528
529	error = aa_move_mount(subj_cred, label, from_path: &old_path, to_path: path);
530	path_put(&old_path);
531
532	return error;
533	}
534
535	int aa_new_mount(const struct cred subj_cred, struct* aa_label *label,
536	const char dev_name, const* struct path *path,
537	const char type, unsigned* long flags, void *data)
538	{
539	struct aa_profile *profile;
540	char buffer = NULL, dev_buffer = NULL;
541	bool binary = true;
542	int error;
543	int requires_dev = `0`;
544	struct path tmp_path, *dev_path = NULL;
545
546	AA_BUG(!label);
547	AA_BUG(!path);
548
549	if (type) {
550	struct file_system_type *fstype;
551
552	fstype = get_fs_type(name: type);
553	if (!fstype)
554	return -ENODEV;
555	binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
556	requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
557	put_filesystem(fs: fstype);
558
559	if (requires_dev) {
560	if (!dev_name \|\| !*dev_name)
561	return -ENOENT;
562
563	error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
564	if (error)
565	return error;
566	dev_path = &tmp_path;
567	}
568	}
569
570	buffer = aa_get_buffer(in_atomic: false);
571	if (!buffer) {
572	error = -ENOMEM;
573	goto out;
574	}
575	if (dev_path) {
576	dev_buffer = aa_get_buffer(in_atomic: false);
577	if (!dev_buffer) {
578	error = -ENOMEM;
579	goto out;
580	}
581	error = fn_for_each_confined(label, profile,
582	match_mnt(subj_cred, profile, path, buffer,
583	dev_path, dev_buffer,
584	type, flags, data, binary));
585	} else {
586	error = fn_for_each_confined(label, profile,
587	match_mnt_path_str(subj_cred, profile, path,
588	buffer, dev_name,
589	type, flags, data, binary, NULL));
590	}
591
592	out:
593	aa_put_buffer(buf: buffer);
594	aa_put_buffer(buf: dev_buffer);
595	if (dev_path)
596	path_put(dev_path);
597
598	return error;
599	}
600
601	static int profile_umount(const struct cred *subj_cred,
602	struct aa_profile profile, const* struct path *path,
603	char *buffer)
604	{
605	struct aa_ruleset *rules = list_first_entry(&profile->rules,
606	typeof(*rules), list);
607	struct aa_perms perms = { };
608	const char name = NULL, info = NULL;
609	aa_state_t state;
610	int error;
611
612	AA_BUG(!profile);
613	AA_BUG(!path);
614
615	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
616	return `0`;
617
618	error = aa_path_name(path, flags: path_flags(profile, path), buffer, name: &name,
619	info: &info, disconnected: profile->disconnected);
620	if (error)
621	goto audit;
622
623	state = aa_dfa_match(dfa: rules->policy->dfa,
624	start: rules->policy->start[AA_CLASS_MOUNT],
625	str: name);
626	perms = *aa_lookup_perms(policy: rules->policy, state);
627	if (AA_MAY_UMOUNT & ~perms.allow)
628	error = -EACCES;
629
630	audit:
631	return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
632	NULL, flags: `0`, NULL,
633	AA_MAY_UMOUNT, perms: &perms, info, error);
634	}
635
636	int aa_umount(const struct cred subj_cred, struct* aa_label *label,
637	struct vfsmount mnt, int* flags)
638	{
639	struct aa_profile *profile;
640	char *buffer = NULL;
641	int error;
642	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
643
644	AA_BUG(!label);
645	AA_BUG(!mnt);
646
647	buffer = aa_get_buffer(in_atomic: false);
648	if (!buffer)
649	return -ENOMEM;
650
651	error = fn_for_each_confined(label, profile,
652	profile_umount(subj_cred, profile, &path, buffer));
653	aa_put_buffer(buf: buffer);
654
655	return error;
656	}
657
658	/ helper fn for transition on pivotroot*
659	*
660	* Returns: label for transition or ERR_PTR. Does not return NULL
661	*/
662	static struct aa_label build_pivotroot(const* struct cred *subj_cred,
663	struct aa_profile *profile,
664	const struct path *new_path,
665	char *new_buffer,
666	const struct path *old_path,
667	char *old_buffer)
668	{
669	struct aa_ruleset *rules = list_first_entry(&profile->rules,
670	typeof(*rules), list);
671	const char old_name, new_name = NULL, *info = NULL;
672	const char *trans_name = NULL;
673	struct aa_perms perms = { };
674	aa_state_t state;
675	int error;
676
677	AA_BUG(!profile);
678	AA_BUG(!new_path);
679	AA_BUG(!old_path);
680
681	if (profile_unconfined(profile) \|\|
682	!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
683	return aa_get_newest_label(l: &profile->label);
684
685	error = aa_path_name(path: old_path, flags: path_flags(profile, path: old_path),
686	buffer: old_buffer, name: &old_name, info: &info,
687	disconnected: profile->disconnected);
688	if (error)
689	goto audit;
690	error = aa_path_name(path: new_path, flags: path_flags(profile, path: new_path),
691	buffer: new_buffer, name: &new_name, info: &info,
692	disconnected: profile->disconnected);
693	if (error)
694	goto audit;
695
696	error = -EACCES;
697	state = aa_dfa_match(dfa: rules->policy->dfa,
698	start: rules->policy->start[AA_CLASS_MOUNT],
699	str: new_name);
700	state = aa_dfa_null_transition(dfa: rules->policy->dfa, start: state);
701	state = aa_dfa_match(dfa: rules->policy->dfa, start: state, str: old_name);
702	perms = *aa_lookup_perms(policy: rules->policy, state);
703
704	if (AA_MAY_PIVOTROOT & perms.allow)
705	error = `0`;
706
707	audit:
708	error = audit_mount(subj_cred, profile, OP_PIVOTROOT, name: new_name,
709	src_name: old_name,
710	NULL, trans: trans_name, flags: `0`, NULL, AA_MAY_PIVOTROOT,
711	perms: &perms, info, error);
712	if (error)
713	return ERR_PTR(error);
714
715	return aa_get_newest_label(l: &profile->label);
716	}
717
718	int aa_pivotroot(const struct cred subj_cred, struct* aa_label *label,
719	const struct path *old_path,
720	const struct path *new_path)
721	{
722	struct aa_profile *profile;
723	struct aa_label *target = NULL;
724	char old_buffer = NULL, new_buffer = NULL, *info = NULL;
725	int error;
726
727	AA_BUG(!label);
728	AA_BUG(!old_path);
729	AA_BUG(!new_path);
730
731	old_buffer = aa_get_buffer(in_atomic: false);
732	new_buffer = aa_get_buffer(in_atomic: false);
733	error = -ENOMEM;
734	if (!old_buffer \|\| !new_buffer)
735	goto out;
736	target = fn_label_build(label, profile, GFP_KERNEL,
737	build_pivotroot(subj_cred, profile, new_path,
738	new_buffer,
739	old_path, old_buffer));
740	if (!target) {
741	info = "label build failed";
742	error = -ENOMEM;
743	goto fail;
744	} else if (!IS_ERR(ptr: target)) {
745	error = aa_replace_current_label(label: target);
746	if (error) {
747	/ TODO: audit target /
748	aa_put_label(l: target);
749	goto out;
750	}
751	aa_put_label(l: target);
752	} else
753	/ already audited error /
754	error = PTR_ERR(ptr: target);
755	out:
756	aa_put_buffer(buf: old_buffer);
757	aa_put_buffer(buf: new_buffer);
758
759	return error;
760
761	fail:
762	/ TODO: add back in auditing of new_name and old_name /
763	error = fn_for_each(label, profile,
764	audit_mount(subj_cred, profile, OP_PIVOTROOT,
765	NULL /new_name /,
766	NULL / old_name /,
767	NULL, NULL,
768	`0`, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
769	error));
770	goto out;
771	}
772

source code of linux/security/apparmor/mount.c