Patchwork [2/5] UBUNTU: SAUCE: apparmor: Add the ability to mediate mount

login
register
mail settings
Submitter John Johansen
Date May 22, 2012, 3:22 p.m.
Message ID <1337700142-13370-3-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/160661/
State New
Headers show

Comments

John Johansen - May 22, 2012, 3:22 p.m.
Add the ability for apparmor to do mediation of mount operations. Mount
rules require an updated apparmor_parser (2.8 series) for policy compilation.

The basic form of the rules are.

  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
  [audit] [deny] remount [conds]* [path],
  [audit] [deny] umount [conds]* [path],
  [audit] [deny] pivotroot [oldroot=<value>] <path>

  remount is just a short cut for mount options=remount

  where [conds] can be
    fstype=<expr>
    options=<expr>

Example mount commands
  mount,		# allow all mounts, but not umount or pivotroot

  mount fstype=procfs,  # allow mounting procfs anywhere

  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount

  mount /dev/sda -> /mnt,

  mount /dev/sd** -> /mnt/**,

  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/

  umount,

  umount /m*,

See the apparmor userspace for full documentation

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
---
 security/apparmor/Makefile           |    3 +-
 security/apparmor/apparmorfs.c       |   13 +
 security/apparmor/audit.c            |    4 +
 security/apparmor/domain.c           |    2 +-
 security/apparmor/include/apparmor.h |    3 +-
 security/apparmor/include/audit.h    |   11 +
 security/apparmor/include/domain.h   |    2 +
 security/apparmor/include/mount.h    |   54 +++
 security/apparmor/lsm.c              |   59 ++++
 security/apparmor/mount.c            |  620 ++++++++++++++++++++++++++++++++++
 10 files changed, 767 insertions(+), 4 deletions(-)
 create mode 100644 security/apparmor/include/mount.h
 create mode 100644 security/apparmor/mount.c

Patch

diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index 806bd19..f6c51c0 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -4,11 +4,10 @@  obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
 
 apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
-              resource.o sid.o file.o
+              resource.o sid.o file.o mount.o
 
 clean-files := capability_names.h rlim_names.h
 
-
 # Build a lower case string table of capability names
 # Transforms lines from
 #    #define CAP_DAC_OVERRIDE     1
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 89bdc62..fbedacb 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -424,9 +424,22 @@  static struct aa_fs_entry aa_fs_entry_domain[] = {
 	{ }
 };
 
+static struct aa_fs_entry aa_fs_entry_mount[] = {
+	AA_FS_FILE_STRING("mask", "mount umount"),
+	{ }
+};
+
+static struct aa_fs_entry aa_fs_entry_namespaces[] = {
+	AA_FS_FILE_BOOLEAN("profile",		1),
+	AA_FS_FILE_BOOLEAN("pivot_root",	1),
+	{ }
+};
+
 static struct aa_fs_entry aa_fs_entry_features[] = {
 	AA_FS_DIR("domain",			aa_fs_entry_domain),
 	AA_FS_DIR("file",			aa_fs_entry_file),
+	AA_FS_DIR("mount",			aa_fs_entry_mount),
+	AA_FS_DIR("namespaces",			aa_fs_entry_namespaces),
 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
 	{ }
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index cc3520d..b9f5ee9 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -44,6 +44,10 @@  const char *const op_table[] = {
 	"file_mmap",
 	"file_mprotect",
 
+	"pivotroot",
+	"mount",
+	"umount",
+
 	"create",
 	"post_create",
 	"bind",
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b81ea10..afa8671 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -242,7 +242,7 @@  static const char *next_name(int xtype, const char *name)
  *
  * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
  */
-static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
 {
 	struct aa_profile *new_profile = NULL;
 	struct aa_namespace *ns = profile->ns;
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 40aedd9..e243d96 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -29,8 +29,9 @@ 
 #define AA_CLASS_NET		4
 #define AA_CLASS_RLIMITS	5
 #define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
 
-#define AA_CLASS_LAST		AA_CLASS_DOMAIN
+#define AA_CLASS_LAST		AA_CLASS_MOUNT
 
 /* Control parameters settable through module/boot flags */
 extern enum audit_mode aa_g_audit;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 3868b1e..0a04152 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -73,6 +73,10 @@  enum aa_ops {
 	OP_FMMAP,
 	OP_FMPROT,
 
+	OP_PIVOTROOT,
+	OP_MOUNT,
+	OP_UMOUNT,
+
 	OP_CREATE,
 	OP_POST_CREATE,
 	OP_BIND,
@@ -121,6 +125,13 @@  struct apparmor_audit_data {
 			unsigned long max;
 		} rlim;
 		struct {
+			const char *src_name;
+			const char *type;
+			const char *trans;
+			const char *data;
+			unsigned long flags;
+		} mnt;
+		struct {
 			const char *target;
 			u32 request;
 			u32 denied;
diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index de04464..a3f70c5 100644
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -23,6 +23,8 @@  struct aa_domain {
 	char **table;
 };
 
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex);
+
 int apparmor_bprm_set_creds(struct linux_binprm *bprm);
 int apparmor_bprm_secureexec(struct linux_binprm *bprm);
 void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
new file mode 100644
index 0000000..bc17a53
--- /dev/null
+++ b/security/apparmor/include/mount.h
@@ -0,0 +1,54 @@ 
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor file mediation function definitions.
+ *
+ * Copyright 2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_MOUNT_H
+#define __AA_MOUNT_H
+
+#include <linux/fs.h>
+#include <linux/path.h>
+
+#include "domain.h"
+#include "policy.h"
+
+/* mount perms */
+#define AA_MAY_PIVOTROOT	0x01
+#define AA_MAY_MOUNT		0x02
+#define AA_MAY_UMOUNT		0x04
+#define AA_AUDIT_DATA		0x40
+#define AA_CONT_MATCH		0x40
+
+#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data);
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name, unsigned long flags);
+
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags);
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name);
+
+int aa_new_mount(struct aa_profile *profile, const char *dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data);
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path);
+
+#endif /* __AA_MOUNT_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ad05d39..4ef0211 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -35,6 +35,7 @@ 
 #include "include/path.h"
 #include "include/policy.h"
 #include "include/procattr.h"
+#include "include/mount.h"
 
 /* Flag indicating whether initialization completed */
 int apparmor_initialized __initdata;
@@ -511,6 +512,60 @@  static int apparmor_file_mprotect(struct vm_area_struct *vma,
 			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
 }
 
+static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
+			     unsigned long flags, void *data)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* Discard magic */
+	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
+		flags &= ~MS_MGC_MSK;
+
+	flags &= ~AA_MS_IGNORE_MASK;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile)) {
+		if (flags & MS_REMOUNT)
+			error = aa_remount(profile, path, flags, data);
+		else if (flags & MS_BIND)
+			error = aa_bind_mount(profile, path, dev_name, flags);
+		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
+				  MS_UNBINDABLE))
+			error = aa_mount_change_type(profile, path, flags);
+		else if (flags & MS_MOVE)
+			error = aa_move_mount(profile, path, dev_name);
+		else
+			error = aa_new_mount(profile, dev_name, path, type,
+					     flags, data);
+	}
+	return error;
+}
+
+static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_umount(profile, mnt, flags);
+
+	return error;
+}
+
+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_pivotroot(profile, old_path, new_path);
+
+	return error;
+}
+
 static int apparmor_getprocattr(struct task_struct *task, char *name,
 				char **value)
 {
@@ -630,6 +685,10 @@  static struct security_operations apparmor_ops = {
 	.capget =			apparmor_capget,
 	.capable =			apparmor_capable,
 
+	.sb_mount =			apparmor_sb_mount,
+	.sb_umount =			apparmor_sb_umount,
+	.sb_pivotroot =			apparmor_sb_pivotroot,
+
 	.path_link =			apparmor_path_link,
 	.path_unlink =			apparmor_path_unlink,
 	.path_symlink =			apparmor_path_symlink,
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
new file mode 100644
index 0000000..63d8493
--- /dev/null
+++ b/security/apparmor/mount.c
@@ -0,0 +1,620 @@ 
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor mediation of files
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/domain.h"
+#include "include/file.h"
+#include "include/match.h"
+#include "include/mount.h"
+#include "include/path.h"
+#include "include/policy.h"
+
+
+static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
+{
+	if (flags & MS_RDONLY)
+		audit_log_format(ab, "ro");
+	else
+		audit_log_format(ab, "rw");
+	if (flags & MS_NOSUID)
+		audit_log_format(ab, ", nosuid");
+	if (flags & MS_NODEV)
+		audit_log_format(ab, ", nodev");
+	if (flags & MS_NOEXEC)
+		audit_log_format(ab, ", noexec");
+	if (flags & MS_SYNCHRONOUS)
+		audit_log_format(ab, ", sync");
+	if (flags & MS_REMOUNT)
+		audit_log_format(ab, ", remount");
+	if (flags & MS_MANDLOCK)
+		audit_log_format(ab, ", mand");
+	if (flags & MS_DIRSYNC)
+		audit_log_format(ab, ", dirsync");
+	if (flags & MS_NOATIME)
+		audit_log_format(ab, ", noatime");
+	if (flags & MS_NODIRATIME)
+		audit_log_format(ab, ", nodiratime");
+	if (flags & MS_BIND)
+		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
+	if (flags & MS_MOVE)
+		audit_log_format(ab, ", move");
+	if (flags & MS_SILENT)
+		audit_log_format(ab, ", silent");
+	if (flags & MS_POSIXACL)
+		audit_log_format(ab, ", acl");
+	if (flags & MS_UNBINDABLE)
+		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
+				 ", unbindable");
+	if (flags & MS_PRIVATE)
+		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
+				 ", private");
+	if (flags & MS_SLAVE)
+		audit_log_format(ab, flags & MS_REC ? ", rslave" :
+				 ", slave");
+	if (flags & MS_SHARED)
+		audit_log_format(ab, flags & MS_REC ? ", rshared" :
+				 ", shared");
+	if (flags & MS_RELATIME)
+		audit_log_format(ab, ", relatime");
+	if (flags & MS_I_VERSION)
+		audit_log_format(ab, ", iversion");
+	if (flags & MS_STRICTATIME)
+		audit_log_format(ab, ", strictatime");
+	if (flags & MS_NOUSER)
+		audit_log_format(ab, ", nouser");
+}
+
+/**
+ * audit_cb - call back for mount specific audit fields
+ * @ab: audit_buffer  (NOT NULL)
+ * @va: audit struct to audit values of  (NOT NULL)
+ */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	if (sa->aad->mnt.type) {
+		audit_log_format(ab, " fstype=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.type);
+	}
+	if (sa->aad->mnt.src_name) {
+		audit_log_format(ab, " srcname=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.src_name);
+	}
+	if (sa->aad->mnt.trans) {
+		audit_log_format(ab, " trans=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.trans);
+	}
+	if (sa->aad->mnt.flags || sa->aad->op == OP_MOUNT) {
+		audit_log_format(ab, " flags=\"");
+		audit_mnt_flags(ab, sa->aad->mnt.flags);
+		audit_log_format(ab, "\"");
+	}
+	if (sa->aad->mnt.data) {
+		audit_log_format(ab, " options=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.data);
+	}
+}
+
+/**
+ * audit_mount - handle the auditing of mount operations
+ * @profile: the profile being enforced  (NOT NULL)
+ * @gfp: allocation flags
+ * @op: operation being mediated (NOT NULL)
+ * @name: name of object being mediated (MAYBE NULL)
+ * @src_name: src_name of object being mediated (MAYBE_NULL)
+ * @type: type of filesystem (MAYBE_NULL)
+ * @trans: name of trans (MAYBE NULL)
+ * @flags: filesystem idependent mount flags
+ * @data: filesystem mount flags
+ * @request: permissions requested
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @info: extra information message (MAYBE NULL)
+ * @error: 0 if operation allowed else failure error code
+ *
+ * Returns: %0 or error on failure
+ */
+static int audit_mount(struct aa_profile *profile, gfp_t gfp, int op,
+		       const char *name, const char *src_name,
+		       const char *type, const char *trans,
+		       unsigned long flags, const void *data, u32 request,
+		       struct file_perms *perms, const char *info, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	struct apparmor_audit_data aad = { };
+
+	if (likely(!error)) {
+		u32 mask = perms->audit;
+
+		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
+			mask = 0xffff;
+
+		/* mask off perms that are not being force audited */
+		request &= mask;
+
+		if (likely(!request))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		/* only report permissions that were denied */
+		request = request & ~perms->allow;
+
+		if (request & perms->kill)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		/* quiet known rejects, assumes quiet and kill do not overlap */
+		if ((request & perms->quiet) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			request &= ~perms->quiet;
+
+		if (!request)
+			return COMPLAIN_MODE(profile) ?
+				complain_error(error) : error;
+	}
+
+	COMMON_AUDIT_DATA_INIT(&sa, NONE);
+	sa.aad = &aad;
+	sa.aad->op = op;
+	sa.aad->name = name;
+	sa.aad->mnt.src_name = src_name;
+	sa.aad->mnt.type = type;
+	sa.aad->mnt.trans = trans;
+	sa.aad->mnt.flags = flags;
+	if (data && (perms->audit & AA_AUDIT_DATA))
+		sa.aad->mnt.data = data;
+	sa.aad->info = info;
+	sa.aad->error = error;
+
+	return aa_audit(audit_type, profile, gfp, &sa, audit_cb);
+}
+
+/**
+ * match_mnt_flags - Do an ordered match on mount flags
+ * @dfa: dfa to match against
+ * @state: state to start in
+ * @flags: mount flags to match against
+ *
+ * Mount flags are encoded as an ordered match. This is done instead of
+ * checking against a simple bitmask, to allow for logical operations
+ * on the flags.
+ *
+ * Returns: next state after flags match
+ */
+static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+				    unsigned long flags)
+{
+	unsigned int i;
+
+	for (i = 0; i <= 31 ; ++i) {
+		if ((1 << i) & flags)
+			state = aa_dfa_next(dfa, state, i + 1);
+	}
+
+	return state;
+}
+
+/**
+ * compute_mnt_perms - compute mount permission associated with @state
+ * @dfa: dfa to match against (NOT NULL)
+ * @state: state match finished in
+ *
+ * Returns: mount permissions
+ */
+static struct file_perms compute_mnt_perms(struct aa_dfa *dfa,
+					   unsigned int state)
+{
+	struct file_perms perms;
+
+	perms.kill = 0;
+	perms.allow = dfa_user_allow(dfa, state);
+	perms.audit = dfa_user_audit(dfa, state);
+	perms.quiet = dfa_user_quiet(dfa, state);
+	perms.xindex = dfa_user_xindex(dfa, state);
+
+	return perms;
+}
+
+static const char const *mnt_info_table[] = {
+	"match succeeded",
+	"failed mntpnt match",
+	"failed srcname match",
+	"failed type match",
+	"failed flags match",
+	"failed data match"
+};
+
+/*
+ * Returns 0 on success else element that match failed in, this is the
+ * index into the mnt_info_table above
+ */
+static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
+			const char *mntpnt, const char *devname,
+			const char *type, unsigned long flags,
+			void *data, bool binary, struct file_perms *perms)
+{
+	unsigned int state;
+
+	state = aa_dfa_match(dfa, start, mntpnt);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 1;
+
+	if (devname)
+		state = aa_dfa_match(dfa, state, devname);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 2;
+
+	if (type)
+		state = aa_dfa_match(dfa, state, type);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 3;
+
+	state = match_mnt_flags(dfa, state, flags);
+	if (!state)
+		return 4;
+	*perms = compute_mnt_perms(dfa, state);
+	if (perms->allow & AA_MAY_MOUNT)
+		return 0;
+
+	/* only match data if not binary and the DFA flags data is expected */
+	if (data && !binary && (perms->allow & AA_CONT_MATCH)) {
+		state = aa_dfa_null_transition(dfa, state);
+		if (!state)
+			return 4;
+
+		state = aa_dfa_match(dfa, state, data);
+		if (!state)
+			return 5;
+		*perms = compute_mnt_perms(dfa, state);
+		if (perms->allow & AA_MAY_MOUNT)
+			return 0;
+	}
+
+	/* failed at end of flags match */
+	return 4;
+}
+
+/**
+ * match_mnt - handle path matching for mount
+ * @profile: the confining profile
+ * @mntpnt: string for the mntpnt (NOT NULL)
+ * @devname: string for the devname/src_name (MAYBE NULL)
+ * @type: string for the dev type (MAYBE NULL)
+ * @flags: mount flags to match
+ * @data: fs mount data (MAYBE NULL)
+ * @binary: whether @data is binary
+ * @perms: Returns: permission found by the match
+ * @info: Returns: infomation string about the match for logging
+ *
+ * Returns: 0 on success else error
+ */
+static int match_mnt(struct aa_profile *profile, const char *mntpnt,
+		     const char *devname, const char *type,
+		     unsigned long flags, void *data, bool binary,
+		     struct file_perms *perms, const char **info)
+{
+	int pos;
+
+	if (!profile->policy.dfa)
+		return -EACCES;
+
+	pos = do_match_mnt(profile->policy.dfa,
+			   profile->policy.start[AA_CLASS_MOUNT],
+			   mntpnt, devname, type, flags, data, binary, perms);
+	if (pos) {
+		*info = mnt_info_table[pos];
+		return -EACCES;
+	}
+
+	return 0;
+}
+
+static int path_flags(struct aa_profile *profile, struct path *path)
+{
+	return profile->path_flags |
+		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
+}
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data)
+{
+	struct file_perms perms = { };
+	const char *name, *info = NULL;
+	char *buffer = NULL;
+	int binary, error;
+
+	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *dev_name, unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!dev_name || !*dev_name)
+		return -EINVAL;
+
+	flags &= MS_REC | MS_BIND;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, flags, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, flags, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	/* These are the flags allowed by do_change_type() */
+	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
+		  MS_UNBINDABLE);
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, NULL, 0, &perms,
+			  &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, NULL, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *orig_name)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!orig_name || !*orig_name)
+		return -EINVAL;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, MS_MOVE, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, MS_MOVE, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *dev_buffer = NULL;
+	const char *name = NULL, *dev_name = NULL, *info = NULL;
+	int binary = 1;
+	int error;
+
+	dev_name = orig_dev_name;
+	if (type) {
+		int requires_dev;
+		struct file_system_type *fstype = get_fs_type(type);
+		if (!fstype)
+			return -ENODEV;
+
+		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
+		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
+		put_filesystem(fstype);
+
+		if (requires_dev) {
+			struct path dev_path;
+
+			if (!dev_name || !*dev_name) {
+				error = -ENOENT;
+				goto out;
+			}
+
+			error = kern_path(dev_name, LOOKUP_FOLLOW, &dev_path);
+			if (error)
+				goto audit;
+
+			error = aa_path_name(&dev_path,
+					     path_flags(profile, &dev_path),
+					     &dev_buffer, &dev_name, &info);
+			path_put(&dev_path);
+			if (error)
+				goto audit;
+		}
+	}
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, dev_name, type, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name,  dev_name,
+			    type, NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+	kfree(dev_buffer);
+
+out:
+	return error;
+
+}
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	struct path path = { mnt, mnt->mnt_root };
+	error = aa_path_name(&path, path_flags(profile, &path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	if (!error && profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_UMOUNT & ~perms.allow)
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_UMOUNT, name, NULL, NULL,
+			    NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path)
+{
+	struct file_perms perms = { };
+	struct aa_profile *target = NULL;
+	char *old_buffer = NULL, *new_buffer = NULL;
+	const char *old_name, *new_name = NULL, *info = NULL;
+	int error;
+
+	error = aa_path_name(old_path, path_flags(profile, old_path),
+			     &old_buffer, &old_name, &info);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(new_path, path_flags(profile, new_path),
+			     &new_buffer, &new_name, &info);
+	if (error)
+		goto audit;
+
+	if (profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     new_name);
+		state = aa_dfa_null_transition(profile->policy.dfa, state);
+		state = aa_dfa_match(profile->policy.dfa, state, old_name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_PIVOTROOT & perms.allow) {
+		if ((perms.xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
+			target = x_table_lookup(profile, perms.xindex);
+			if (!target)
+				error = -ENOENT;
+			else
+				error = aa_replace_current_profile(target);
+		}
+	} else
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_PIVOTROOT, new_name,
+			    old_name, NULL, target ? target->base.name : NULL,
+			    0, NULL,  AA_MAY_PIVOTROOT, &perms, info, error);
+	aa_put_profile(target);
+	kfree(old_buffer);
+	kfree(new_buffer);
+
+	return error;
+}