security/apparmor/mount.c at v6.7-rc6 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / apparmor / mount.c
at v6.7-rc6 767 lines 20 kB view raw
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor mediation of files
  6 *
  7 * Copyright (C) 1998-2008 Novell/SUSE
  8 * Copyright 2009-2017 Canonical Ltd.
  9 */
 10
 11#include <linux/fs.h>
 12#include <linux/mount.h>
 13#include <linux/namei.h>
 14#include <uapi/linux/mount.h>
 15
 16#include "include/apparmor.h"
 17#include "include/audit.h"
 18#include "include/cred.h"
 19#include "include/domain.h"
 20#include "include/file.h"
 21#include "include/match.h"
 22#include "include/mount.h"
 23#include "include/path.h"
 24#include "include/policy.h"
 25
 26
 27static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
 28{
 29	if (flags & MS_RDONLY)
 30		audit_log_format(ab, "ro");
 31	else
 32		audit_log_format(ab, "rw");
 33	if (flags & MS_NOSUID)
 34		audit_log_format(ab, ", nosuid");
 35	if (flags & MS_NODEV)
 36		audit_log_format(ab, ", nodev");
 37	if (flags & MS_NOEXEC)
 38		audit_log_format(ab, ", noexec");
 39	if (flags & MS_SYNCHRONOUS)
 40		audit_log_format(ab, ", sync");
 41	if (flags & MS_REMOUNT)
 42		audit_log_format(ab, ", remount");
 43	if (flags & MS_MANDLOCK)
 44		audit_log_format(ab, ", mand");
 45	if (flags & MS_DIRSYNC)
 46		audit_log_format(ab, ", dirsync");
 47	if (flags & MS_NOATIME)
 48		audit_log_format(ab, ", noatime");
 49	if (flags & MS_NODIRATIME)
 50		audit_log_format(ab, ", nodiratime");
 51	if (flags & MS_BIND)
 52		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
 53	if (flags & MS_MOVE)
 54		audit_log_format(ab, ", move");
 55	if (flags & MS_SILENT)
 56		audit_log_format(ab, ", silent");
 57	if (flags & MS_POSIXACL)
 58		audit_log_format(ab, ", acl");
 59	if (flags & MS_UNBINDABLE)
 60		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
 61				 ", unbindable");
 62	if (flags & MS_PRIVATE)
 63		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
 64				 ", private");
 65	if (flags & MS_SLAVE)
 66		audit_log_format(ab, flags & MS_REC ? ", rslave" :
 67				 ", slave");
 68	if (flags & MS_SHARED)
 69		audit_log_format(ab, flags & MS_REC ? ", rshared" :
 70				 ", shared");
 71	if (flags & MS_RELATIME)
 72		audit_log_format(ab, ", relatime");
 73	if (flags & MS_I_VERSION)
 74		audit_log_format(ab, ", iversion");
 75	if (flags & MS_STRICTATIME)
 76		audit_log_format(ab, ", strictatime");
 77	if (flags & MS_NOUSER)
 78		audit_log_format(ab, ", nouser");
 79}
 80
 81/**
 82 * audit_cb - call back for mount specific audit fields
 83 * @ab: audit_buffer  (NOT NULL)
 84 * @va: audit struct to audit values of  (NOT NULL)
 85 */
 86static void audit_cb(struct audit_buffer *ab, void *va)
 87{
 88	struct common_audit_data *sa = va;
 89	struct apparmor_audit_data *ad = aad(sa);
 90
 91	if (ad->mnt.type) {
 92		audit_log_format(ab, " fstype=");
 93		audit_log_untrustedstring(ab, ad->mnt.type);
 94	}
 95	if (ad->mnt.src_name) {
 96		audit_log_format(ab, " srcname=");
 97		audit_log_untrustedstring(ab, ad->mnt.src_name);
 98	}
 99	if (ad->mnt.trans) {
100		audit_log_format(ab, " trans=");
101		audit_log_untrustedstring(ab, ad->mnt.trans);
102	}
103	if (ad->mnt.flags) {
104		audit_log_format(ab, " flags=\"");
105		audit_mnt_flags(ab, ad->mnt.flags);
106		audit_log_format(ab, "\"");
107	}
108	if (ad->mnt.data) {
109		audit_log_format(ab, " options=");
110		audit_log_untrustedstring(ab, ad->mnt.data);
111	}
112}
113
114/**
115 * audit_mount - handle the auditing of mount operations
116 * @subj_cred: cred of the subject
117 * @profile: the profile being enforced  (NOT NULL)
118 * @op: operation being mediated (NOT NULL)
119 * @name: name of object being mediated (MAYBE NULL)
120 * @src_name: src_name of object being mediated (MAYBE_NULL)
121 * @type: type of filesystem (MAYBE_NULL)
122 * @trans: name of trans (MAYBE NULL)
123 * @flags: filesystem independent mount flags
124 * @data: filesystem mount flags
125 * @request: permissions requested
126 * @perms: the permissions computed for the request (NOT NULL)
127 * @info: extra information message (MAYBE NULL)
128 * @error: 0 if operation allowed else failure error code
129 *
130 * Returns: %0 or error on failure
131 */
132static int audit_mount(const struct cred *subj_cred,
133		       struct aa_profile *profile, const char *op,
134		       const char *name, const char *src_name,
135		       const char *type, const char *trans,
136		       unsigned long flags, const void *data, u32 request,
137		       struct aa_perms *perms, const char *info, int error)
138{
139	int audit_type = AUDIT_APPARMOR_AUTO;
140	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
141
142	if (likely(!error)) {
143		u32 mask = perms->audit;
144
145		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
146			mask = 0xffff;
147
148		/* mask off perms that are not being force audited */
149		request &= mask;
150
151		if (likely(!request))
152			return 0;
153		audit_type = AUDIT_APPARMOR_AUDIT;
154	} else {
155		/* only report permissions that were denied */
156		request = request & ~perms->allow;
157
158		if (request & perms->kill)
159			audit_type = AUDIT_APPARMOR_KILL;
160
161		/* quiet known rejects, assumes quiet and kill do not overlap */
162		if ((request & perms->quiet) &&
163		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
164		    AUDIT_MODE(profile) != AUDIT_ALL)
165			request &= ~perms->quiet;
166
167		if (!request)
168			return error;
169	}
170
171	ad.subj_cred = subj_cred;
172	ad.name = name;
173	ad.mnt.src_name = src_name;
174	ad.mnt.type = type;
175	ad.mnt.trans = trans;
176	ad.mnt.flags = flags;
177	if (data && (perms->audit & AA_AUDIT_DATA))
178		ad.mnt.data = data;
179	ad.info = info;
180	ad.error = error;
181
182	return aa_audit(audit_type, profile, &ad, audit_cb);
183}
184
185/**
186 * match_mnt_flags - Do an ordered match on mount flags
187 * @dfa: dfa to match against
188 * @state: state to start in
189 * @flags: mount flags to match against
190 *
191 * Mount flags are encoded as an ordered match. This is done instead of
192 * checking against a simple bitmask, to allow for logical operations
193 * on the flags.
194 *
195 * Returns: next state after flags match
196 */
197static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
198				    unsigned long flags)
199{
200	unsigned int i;
201
202	for (i = 0; i <= 31 ; ++i) {
203		if ((1 << i) & flags)
204			state = aa_dfa_next(dfa, state, i + 1);
205	}
206
207	return state;
208}
209
210static const char * const mnt_info_table[] = {
211	"match succeeded",
212	"failed mntpnt match",
213	"failed srcname match",
214	"failed type match",
215	"failed flags match",
216	"failed data match",
217	"failed perms check"
218};
219
220/*
221 * Returns 0 on success else element that match failed in, this is the
222 * index into the mnt_info_table above
223 */
224static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
225			const char *mntpnt, const char *devname,
226			const char *type, unsigned long flags,
227			void *data, bool binary, struct aa_perms *perms)
228{
229	aa_state_t state;
230
231	AA_BUG(!policy);
232	AA_BUG(!policy->dfa);
233	AA_BUG(!policy->perms);
234	AA_BUG(!perms);
235
236	state = aa_dfa_match(policy->dfa, start, mntpnt);
237	state = aa_dfa_null_transition(policy->dfa, state);
238	if (!state)
239		return 1;
240
241	if (devname)
242		state = aa_dfa_match(policy->dfa, state, devname);
243	state = aa_dfa_null_transition(policy->dfa, state);
244	if (!state)
245		return 2;
246
247	if (type)
248		state = aa_dfa_match(policy->dfa, state, type);
249	state = aa_dfa_null_transition(policy->dfa, state);
250	if (!state)
251		return 3;
252
253	state = match_mnt_flags(policy->dfa, state, flags);
254	if (!state)
255		return 4;
256	*perms = *aa_lookup_perms(policy, state);
257	if (perms->allow & AA_MAY_MOUNT)
258		return 0;
259
260	/* only match data if not binary and the DFA flags data is expected */
261	if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
262		state = aa_dfa_null_transition(policy->dfa, state);
263		if (!state)
264			return 4;
265
266		state = aa_dfa_match(policy->dfa, state, data);
267		if (!state)
268			return 5;
269		*perms = *aa_lookup_perms(policy, state);
270		if (perms->allow & AA_MAY_MOUNT)
271			return 0;
272	}
273
274	/* failed at perms check, don't confuse with flags match */
275	return 6;
276}
277
278
279static int path_flags(struct aa_profile *profile, const struct path *path)
280{
281	AA_BUG(!profile);
282	AA_BUG(!path);
283
284	return profile->path_flags |
285		(S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
286}
287
288/**
289 * match_mnt_path_str - handle path matching for mount
290 * @subj_cred: cred of confined subject
291 * @profile: the confining profile
292 * @mntpath: for the mntpnt (NOT NULL)
293 * @buffer: buffer to be used to lookup mntpath
294 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
295 * @type: string for the dev type (MAYBE NULL)
296 * @flags: mount flags to match
297 * @data: fs mount data (MAYBE NULL)
298 * @binary: whether @data is binary
299 * @devinfo: error str if (IS_ERR(@devname))
300 *
301 * Returns: 0 on success else error
302 */
303static int match_mnt_path_str(const struct cred *subj_cred,
304			      struct aa_profile *profile,
305			      const struct path *mntpath, char *buffer,
306			      const char *devname, const char *type,
307			      unsigned long flags, void *data, bool binary,
308			      const char *devinfo)
309{
310	struct aa_perms perms = { };
311	const char *mntpnt = NULL, *info = NULL;
312	struct aa_ruleset *rules = list_first_entry(&profile->rules,
313						    typeof(*rules), list);
314	int pos, error;
315
316	AA_BUG(!profile);
317	AA_BUG(!mntpath);
318	AA_BUG(!buffer);
319
320	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
321		return 0;
322
323	error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
324			     &mntpnt, &info, profile->disconnected);
325	if (error)
326		goto audit;
327	if (IS_ERR(devname)) {
328		error = PTR_ERR(devname);
329		devname = NULL;
330		info = devinfo;
331		goto audit;
332	}
333
334	error = -EACCES;
335	pos = do_match_mnt(rules->policy,
336			   rules->policy->start[AA_CLASS_MOUNT],
337			   mntpnt, devname, type, flags, data, binary, &perms);
338	if (pos) {
339		info = mnt_info_table[pos];
340		goto audit;
341	}
342	error = 0;
343
344audit:
345	return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname,
346			   type, NULL,
347			   flags, data, AA_MAY_MOUNT, &perms, info, error);
348}
349
350/**
351 * match_mnt - handle path matching for mount
352 * @subj_cred: cred of the subject
353 * @profile: the confining profile
354 * @path: for the mntpnt (NOT NULL)
355 * @buffer: buffer to be used to lookup mntpath
356 * @devpath: path devname/src_name (MAYBE NULL)
357 * @devbuffer: buffer to be used to lookup devname/src_name
358 * @type: string for the dev type (MAYBE NULL)
359 * @flags: mount flags to match
360 * @data: fs mount data (MAYBE NULL)
361 * @binary: whether @data is binary
362 *
363 * Returns: 0 on success else error
364 */
365static int match_mnt(const struct cred *subj_cred,
366		     struct aa_profile *profile, const struct path *path,
367		     char *buffer, const struct path *devpath, char *devbuffer,
368		     const char *type, unsigned long flags, void *data,
369		     bool binary)
370{
371	const char *devname = NULL, *info = NULL;
372	struct aa_ruleset *rules = list_first_entry(&profile->rules,
373						    typeof(*rules), list);
374	int error = -EACCES;
375
376	AA_BUG(!profile);
377	AA_BUG(devpath && !devbuffer);
378
379	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
380		return 0;
381
382	if (devpath) {
383		error = aa_path_name(devpath, path_flags(profile, devpath),
384				     devbuffer, &devname, &info,
385				     profile->disconnected);
386		if (error)
387			devname = ERR_PTR(error);
388	}
389
390	return match_mnt_path_str(subj_cred, profile, path, buffer, devname,
391				  type, flags, data, binary, info);
392}
393
394int aa_remount(const struct cred *subj_cred,
395	       struct aa_label *label, const struct path *path,
396	       unsigned long flags, void *data)
397{
398	struct aa_profile *profile;
399	char *buffer = NULL;
400	bool binary;
401	int error;
402
403	AA_BUG(!label);
404	AA_BUG(!path);
405
406	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
407
408	buffer = aa_get_buffer(false);
409	if (!buffer)
410		return -ENOMEM;
411	error = fn_for_each_confined(label, profile,
412			match_mnt(subj_cred, profile, path, buffer, NULL,
413				  NULL, NULL,
414				  flags, data, binary));
415	aa_put_buffer(buffer);
416
417	return error;
418}
419
420int aa_bind_mount(const struct cred *subj_cred,
421		  struct aa_label *label, const struct path *path,
422		  const char *dev_name, unsigned long flags)
423{
424	struct aa_profile *profile;
425	char *buffer = NULL, *old_buffer = NULL;
426	struct path old_path;
427	int error;
428
429	AA_BUG(!label);
430	AA_BUG(!path);
431
432	if (!dev_name || !*dev_name)
433		return -EINVAL;
434
435	flags &= MS_REC | MS_BIND;
436
437	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
438	if (error)
439		return error;
440
441	buffer = aa_get_buffer(false);
442	old_buffer = aa_get_buffer(false);
443	error = -ENOMEM;
444	if (!buffer || !old_buffer)
445		goto out;
446
447	error = fn_for_each_confined(label, profile,
448			match_mnt(subj_cred, profile, path, buffer, &old_path,
449				  old_buffer, NULL, flags, NULL, false));
450out:
451	aa_put_buffer(buffer);
452	aa_put_buffer(old_buffer);
453	path_put(&old_path);
454
455	return error;
456}
457
458int aa_mount_change_type(const struct cred *subj_cred,
459			 struct aa_label *label, const struct path *path,
460			 unsigned long flags)
461{
462	struct aa_profile *profile;
463	char *buffer = NULL;
464	int error;
465
466	AA_BUG(!label);
467	AA_BUG(!path);
468
469	/* These are the flags allowed by do_change_type() */
470	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
471		  MS_UNBINDABLE);
472
473	buffer = aa_get_buffer(false);
474	if (!buffer)
475		return -ENOMEM;
476	error = fn_for_each_confined(label, profile,
477			match_mnt(subj_cred, profile, path, buffer, NULL,
478				  NULL, NULL,
479				  flags, NULL, false));
480	aa_put_buffer(buffer);
481
482	return error;
483}
484
485int aa_move_mount(const struct cred *subj_cred,
486		  struct aa_label *label, const struct path *from_path,
487		  const struct path *to_path)
488{
489	struct aa_profile *profile;
490	char *to_buffer = NULL, *from_buffer = NULL;
491	int error;
492
493	AA_BUG(!label);
494	AA_BUG(!from_path);
495	AA_BUG(!to_path);
496
497	to_buffer = aa_get_buffer(false);
498	from_buffer = aa_get_buffer(false);
499	error = -ENOMEM;
500	if (!to_buffer || !from_buffer)
501		goto out;
502	error = fn_for_each_confined(label, profile,
503			match_mnt(subj_cred, profile, to_path, to_buffer,
504				  from_path, from_buffer,
505				  NULL, MS_MOVE, NULL, false));
506out:
507	aa_put_buffer(to_buffer);
508	aa_put_buffer(from_buffer);
509
510	return error;
511}
512
513int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label,
514		      const struct path *path, const char *orig_name)
515{
516	struct path old_path;
517	int error;
518
519	if (!orig_name || !*orig_name)
520		return -EINVAL;
521	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
522	if (error)
523		return error;
524
525	error = aa_move_mount(subj_cred, label, &old_path, path);
526	path_put(&old_path);
527
528	return error;
529}
530
531int aa_new_mount(const struct cred *subj_cred, struct aa_label *label,
532		 const char *dev_name, const struct path *path,
533		 const char *type, unsigned long flags, void *data)
534{
535	struct aa_profile *profile;
536	char *buffer = NULL, *dev_buffer = NULL;
537	bool binary = true;
538	int error;
539	int requires_dev = 0;
540	struct path tmp_path, *dev_path = NULL;
541
542	AA_BUG(!label);
543	AA_BUG(!path);
544
545	if (type) {
546		struct file_system_type *fstype;
547
548		fstype = get_fs_type(type);
549		if (!fstype)
550			return -ENODEV;
551		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
552		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
553		put_filesystem(fstype);
554
555		if (requires_dev) {
556			if (!dev_name || !*dev_name)
557				return -ENOENT;
558
559			error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
560			if (error)
561				return error;
562			dev_path = &tmp_path;
563		}
564	}
565
566	buffer = aa_get_buffer(false);
567	if (!buffer) {
568		error = -ENOMEM;
569		goto out;
570	}
571	if (dev_path) {
572		dev_buffer = aa_get_buffer(false);
573		if (!dev_buffer) {
574			error = -ENOMEM;
575			goto out;
576		}
577		error = fn_for_each_confined(label, profile,
578				match_mnt(subj_cred, profile, path, buffer,
579					  dev_path, dev_buffer,
580				  type, flags, data, binary));
581	} else {
582		error = fn_for_each_confined(label, profile,
583				match_mnt_path_str(subj_cred, profile, path,
584					buffer, dev_name,
585					type, flags, data, binary, NULL));
586	}
587
588out:
589	aa_put_buffer(buffer);
590	aa_put_buffer(dev_buffer);
591	if (dev_path)
592		path_put(dev_path);
593
594	return error;
595}
596
597static int profile_umount(const struct cred *subj_cred,
598			  struct aa_profile *profile, const struct path *path,
599			  char *buffer)
600{
601	struct aa_ruleset *rules = list_first_entry(&profile->rules,
602						    typeof(*rules), list);
603	struct aa_perms perms = { };
604	const char *name = NULL, *info = NULL;
605	aa_state_t state;
606	int error;
607
608	AA_BUG(!profile);
609	AA_BUG(!path);
610
611	if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
612		return 0;
613
614	error = aa_path_name(path, path_flags(profile, path), buffer, &name,
615			     &info, profile->disconnected);
616	if (error)
617		goto audit;
618
619	state = aa_dfa_match(rules->policy->dfa,
620			     rules->policy->start[AA_CLASS_MOUNT],
621			     name);
622	perms = *aa_lookup_perms(rules->policy, state);
623	if (AA_MAY_UMOUNT & ~perms.allow)
624		error = -EACCES;
625
626audit:
627	return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
628			   NULL, 0, NULL,
629			   AA_MAY_UMOUNT, &perms, info, error);
630}
631
632int aa_umount(const struct cred *subj_cred, struct aa_label *label,
633	      struct vfsmount *mnt, int flags)
634{
635	struct aa_profile *profile;
636	char *buffer = NULL;
637	int error;
638	struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
639
640	AA_BUG(!label);
641	AA_BUG(!mnt);
642
643	buffer = aa_get_buffer(false);
644	if (!buffer)
645		return -ENOMEM;
646
647	error = fn_for_each_confined(label, profile,
648			profile_umount(subj_cred, profile, &path, buffer));
649	aa_put_buffer(buffer);
650
651	return error;
652}
653
654/* helper fn for transition on pivotroot
655 *
656 * Returns: label for transition or ERR_PTR. Does not return NULL
657 */
658static struct aa_label *build_pivotroot(const struct cred *subj_cred,
659					struct aa_profile *profile,
660					const struct path *new_path,
661					char *new_buffer,
662					const struct path *old_path,
663					char *old_buffer)
664{
665	struct aa_ruleset *rules = list_first_entry(&profile->rules,
666						    typeof(*rules), list);
667	const char *old_name, *new_name = NULL, *info = NULL;
668	const char *trans_name = NULL;
669	struct aa_perms perms = { };
670	aa_state_t state;
671	int error;
672
673	AA_BUG(!profile);
674	AA_BUG(!new_path);
675	AA_BUG(!old_path);
676
677	if (profile_unconfined(profile) ||
678	    !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
679		return aa_get_newest_label(&profile->label);
680
681	error = aa_path_name(old_path, path_flags(profile, old_path),
682			     old_buffer, &old_name, &info,
683			     profile->disconnected);
684	if (error)
685		goto audit;
686	error = aa_path_name(new_path, path_flags(profile, new_path),
687			     new_buffer, &new_name, &info,
688			     profile->disconnected);
689	if (error)
690		goto audit;
691
692	error = -EACCES;
693	state = aa_dfa_match(rules->policy->dfa,
694			     rules->policy->start[AA_CLASS_MOUNT],
695			     new_name);
696	state = aa_dfa_null_transition(rules->policy->dfa, state);
697	state = aa_dfa_match(rules->policy->dfa, state, old_name);
698	perms = *aa_lookup_perms(rules->policy, state);
699
700	if (AA_MAY_PIVOTROOT & perms.allow)
701		error = 0;
702
703audit:
704	error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name,
705			    old_name,
706			    NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
707			    &perms, info, error);
708	if (error)
709		return ERR_PTR(error);
710
711	return aa_get_newest_label(&profile->label);
712}
713
714int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label,
715		 const struct path *old_path,
716		 const struct path *new_path)
717{
718	struct aa_profile *profile;
719	struct aa_label *target = NULL;
720	char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
721	int error;
722
723	AA_BUG(!label);
724	AA_BUG(!old_path);
725	AA_BUG(!new_path);
726
727	old_buffer = aa_get_buffer(false);
728	new_buffer = aa_get_buffer(false);
729	error = -ENOMEM;
730	if (!old_buffer || !new_buffer)
731		goto out;
732	target = fn_label_build(label, profile, GFP_KERNEL,
733			build_pivotroot(subj_cred, profile, new_path,
734					new_buffer,
735					old_path, old_buffer));
736	if (!target) {
737		info = "label build failed";
738		error = -ENOMEM;
739		goto fail;
740	} else if (!IS_ERR(target)) {
741		error = aa_replace_current_label(target);
742		if (error) {
743			/* TODO: audit target */
744			aa_put_label(target);
745			goto out;
746		}
747		aa_put_label(target);
748	} else
749		/* already audited error */
750		error = PTR_ERR(target);
751out:
752	aa_put_buffer(old_buffer);
753	aa_put_buffer(new_buffer);
754
755	return error;
756
757fail:
758	/* TODO: add back in auditing of new_name and old_name */
759	error = fn_for_each(label, profile,
760			audit_mount(subj_cred, profile, OP_PIVOTROOT,
761				    NULL /*new_name */,
762				    NULL /* old_name */,
763				    NULL, NULL,
764				    0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
765				    error));
766	goto out;
767}