1 // SPDX-License-Identifier: GPL-2.0-only
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2017 Canonical Ltd.
23 #include "include/path.h"
84  * audit_cb - call back for mount specific audit fields
93 	if (ad->mnt.type) {  in audit_cb()
95 		audit_log_untrustedstring(ab, ad->mnt.type);  in audit_cb()
97 	if (ad->mnt.src_name) {  in audit_cb()
99 		audit_log_untrustedstring(ab, ad->mnt.src_name);  in audit_cb()
101 	if (ad->mnt.trans) {  in audit_cb()
103 		audit_log_untrustedstring(ab, ad->mnt.trans);  in audit_cb()
105 	if (ad->mnt.flags) {  in audit_cb()
107 		audit_mnt_flags(ab, ad->mnt.flags);  in audit_cb()
110 	if (ad->mnt.data) {  in audit_cb()
112 		audit_log_untrustedstring(ab, ad->mnt.data);  in audit_cb()
117  * audit_mount - handle the auditing of mount operations
126  * @data: filesystem mount flags
138 		       unsigned long flags, const void *data, u32 request,  in audit_mount()  argument
145 		u32 mask = perms->audit;  in audit_mount()
158 		request = request & ~perms->allow;  in audit_mount()
160 		if (request & perms->kill)  in audit_mount()
164 		if ((request & perms->quiet) &&  in audit_mount()
167 			request &= ~perms->quiet;  in audit_mount()
179 	if (data && (perms->audit & AA_AUDIT_DATA))  in audit_mount()
180 		ad.mnt.data = data;  in audit_mount()
188  * match_mnt_flags - Do an ordered match on mount flags
218 	"failed data match",
229 			void *data, bool binary, struct aa_perms *perms)  in do_match_mnt()  argument
234 	AA_BUG(!policy->dfa);  in do_match_mnt()
235 	AA_BUG(!policy->perms);  in do_match_mnt()
238 	state = aa_dfa_match(policy->dfa, start, mntpnt);  in do_match_mnt()
239 	state = aa_dfa_null_transition(policy->dfa, state);  in do_match_mnt()
244 		state = aa_dfa_match(policy->dfa, state, devname);  in do_match_mnt()
245 	state = aa_dfa_null_transition(policy->dfa, state);  in do_match_mnt()
250 		state = aa_dfa_match(policy->dfa, state, type);  in do_match_mnt()
251 	state = aa_dfa_null_transition(policy->dfa, state);  in do_match_mnt()
255 	state = match_mnt_flags(policy->dfa, state, flags);  in do_match_mnt()
259 	if (perms->allow & AA_MAY_MOUNT)  in do_match_mnt()
262 	/* only match data if not binary and the DFA flags data is expected */  in do_match_mnt()
263 	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {  in do_match_mnt()
264 		state = aa_dfa_null_transition(policy->dfa, state);  in do_match_mnt()
268 		state = aa_dfa_match(policy->dfa, state, data);  in do_match_mnt()
272 		if (perms->allow & AA_MAY_MOUNT)  in do_match_mnt()
281 static int path_flags(struct aa_profile *profile, const struct path *path)  in path_flags()  argument
284 	AA_BUG(!path);  in path_flags()
286 	return profile->path_flags |  in path_flags()
287 		(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);  in path_flags()
291  * match_mnt_path_str - handle path matching for mount
299  * @data: fs mount data (MAYBE NULL)
300  * @binary: whether @data is binary
307 			      const struct path *mntpath, char *buffer,  in match_mnt_path_str()
309 			      unsigned long flags, void *data, bool binary,  in match_mnt_path_str()  argument
314 	struct aa_ruleset *rules = list_first_entry(&profile->rules,  in match_mnt_path_str()
326 			     &mntpnt, &info, profile->disconnected);  in match_mnt_path_str()
336 	error = -EACCES;  in match_mnt_path_str()
337 	pos = do_match_mnt(rules->policy,  in match_mnt_path_str()
338 			   rules->policy->start[AA_CLASS_MOUNT],  in match_mnt_path_str()
339 			   mntpnt, devname, type, flags, data, binary, &perms);  in match_mnt_path_str()
349 			   flags, data, AA_MAY_MOUNT, &perms, info, error);  in match_mnt_path_str()
353  * match_mnt - handle path matching for mount
356  * @path: for the mntpnt (NOT NULL)
358  * @devpath: path devname/src_name (MAYBE NULL)
362  * @data: fs mount data (MAYBE NULL)
363  * @binary: whether @data is binary
368 		     struct aa_profile *profile, const struct path *path,  in match_mnt()  argument
369 		     char *buffer, const struct path *devpath, char *devbuffer,  in match_mnt()
370 		     const char *type, unsigned long flags, void *data,  in match_mnt()  argument
374 	struct aa_ruleset *rules = list_first_entry(&profile->rules,  in match_mnt()
376 	int error = -EACCES;  in match_mnt()
387 				     profile->disconnected);  in match_mnt()
392 	return match_mnt_path_str(subj_cred, profile, path, buffer, devname,  in match_mnt()
393 				  type, flags, data, binary, info);  in match_mnt()
397 	       struct aa_label *label, const struct path *path,  in aa_remount()  argument
398 	       unsigned long flags, void *data)  in aa_remount()  argument
406 	AA_BUG(!path);  in aa_remount()
408 	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;  in aa_remount()
412 		return -ENOMEM;  in aa_remount()
414 			match_mnt(subj_cred, profile, path, buffer, NULL,  in aa_remount()
416 				  flags, data, binary));  in aa_remount()
423 		  struct aa_label *label, const struct path *path,  in aa_bind_mount()  argument
428 	struct path old_path;  in aa_bind_mount()
432 	AA_BUG(!path);  in aa_bind_mount()
435 		return -EINVAL;  in aa_bind_mount()
445 	error = -ENOMEM;  in aa_bind_mount()
450 			match_mnt(subj_cred, profile, path, buffer, &old_path,  in aa_bind_mount()
461 			 struct aa_label *label, const struct path *path,  in aa_mount_change_type()  argument
469 	AA_BUG(!path);  in aa_mount_change_type()
477 		return -ENOMEM;  in aa_mount_change_type()
479 			match_mnt(subj_cred, profile, path, buffer, NULL,  in aa_mount_change_type()
488 		  struct aa_label *label, const struct path *from_path,  in aa_move_mount()
489 		  const struct path *to_path)  in aa_move_mount()
501 	error = -ENOMEM;  in aa_move_mount()
505 	if (!our_mnt(from_path->mnt))  in aa_move_mount()
520 		      const struct path *path, const char *orig_name)  in aa_move_mount_old()  argument
522 	struct path old_path;  in aa_move_mount_old()
526 		return -EINVAL;  in aa_move_mount_old()
531 	error = aa_move_mount(subj_cred, label, &old_path, path);  in aa_move_mount_old()
538 		 const char *dev_name, const struct path *path,  in aa_new_mount()  argument
539 		 const char *type, unsigned long flags, void *data)  in aa_new_mount()  argument
546 	struct path tmp_path, *dev_path = NULL;  in aa_new_mount()
549 	AA_BUG(!path);  in aa_new_mount()
556 			return -ENODEV;  in aa_new_mount()
557 		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;  in aa_new_mount()
558 		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;  in aa_new_mount()
563 				return -ENOENT;  in aa_new_mount()
574 		error = -ENOMEM;  in aa_new_mount()
580 			error = -ENOMEM;  in aa_new_mount()
584 				match_mnt(subj_cred, profile, path, buffer,  in aa_new_mount()
586 				  type, flags, data, binary));  in aa_new_mount()
589 				match_mnt_path_str(subj_cred, profile, path,  in aa_new_mount()
591 					type, flags, data, binary, NULL));  in aa_new_mount()
604 			  struct aa_profile *profile, const struct path *path,  in profile_umount()  argument
607 	struct aa_ruleset *rules = list_first_entry(&profile->rules,  in profile_umount()
615 	AA_BUG(!path);  in profile_umount()
620 	error = aa_path_name(path, path_flags(profile, path), buffer, &name,  in profile_umount()
621 			     &info, profile->disconnected);  in profile_umount()
625 	state = aa_dfa_match(rules->policy->dfa,  in profile_umount()
626 			     rules->policy->start[AA_CLASS_MOUNT],  in profile_umount()
628 	perms = *aa_lookup_perms(rules->policy, state);  in profile_umount()
630 		error = -EACCES;  in profile_umount()
644 	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };  in aa_umount()  local
651 		return -ENOMEM;  in aa_umount()
654 			profile_umount(subj_cred, profile, &path, buffer));  in aa_umount()
666 					const struct path *new_path,  in build_pivotroot()
668 					const struct path *old_path,  in build_pivotroot()
671 	struct aa_ruleset *rules = list_first_entry(&profile->rules,  in build_pivotroot()
685 		return aa_get_newest_label(&profile->label);  in build_pivotroot()
689 			     profile->disconnected);  in build_pivotroot()
694 			     profile->disconnected);  in build_pivotroot()
698 	error = -EACCES;  in build_pivotroot()
699 	state = aa_dfa_match(rules->policy->dfa,  in build_pivotroot()
700 			     rules->policy->start[AA_CLASS_MOUNT],  in build_pivotroot()
702 	state = aa_dfa_null_transition(rules->policy->dfa, state);  in build_pivotroot()
703 	state = aa_dfa_match(rules->policy->dfa, state, old_name);  in build_pivotroot()
704 	perms = *aa_lookup_perms(rules->policy, state);  in build_pivotroot()
717 	return aa_get_newest_label(&profile->label);  in build_pivotroot()
721 		 const struct path *old_path,  in aa_pivotroot()
722 		 const struct path *new_path)  in aa_pivotroot()
735 	error = -ENOMEM;  in aa_pivotroot()
744 		error = -ENOMEM;  in aa_pivotroot()