Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.

default userspace policy rules have the form of
  MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )

  MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
          [ '->' MOUNTPOINT FILEGLOB ]

  REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
            MOUNTPOINT FILEGLOB

  UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB

  MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
                       MOUNT FSTYPE EXPRESSION ]
		       [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]

  MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )

  MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
                      virtual filesystem types (eg ext4, debugfs, etc)

  MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )

  MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.

  MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
                  'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
		  'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
		  'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
		  'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
		  'unbindable' | 'runbindable' | 'private' | 'rprivate' |
		  'slave' | 'rslave' | 'shared' | 'rshared' |
		  'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
		  'strictatime' | 'nouser' | 'user' )

  MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...

  PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
                    [ NEW ROOT FILEGLOB ]

  SOURCE FILEGLOB = FILEGLOB

  MOUNTPOINT FILEGLOB = FILEGLOB

eg.
  mount,
  mount /dev/foo,
  mount options=ro /dev/foo -> /mnt/,
  mount options in (ro,atime) /dev/foo -> /mnt/,
  mount options=ro options=atime,
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

Add signal mediation where the signal can be mediated based on the
signal, direction, or the label or the peer/target. The signal perms
are verified on a cross check to ensure policy consistency in the case
of incremental policy load/replacement.

The optimization of skipping the cross check when policy is guaranteed
to be consistent (single compile unit) remains to be done.

policy rules have the form of
  SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ]
                [ SIGNAL SET ] [ SIGNAL PEER ]

  SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST

  SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL
                           ACCESS ')'

  SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' |
                    'receive' )

  SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')'

  SIGNAL LIST = Comma or space separated list of SIGNALS

  SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' |
              'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' |
	      'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' |
	      'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' |
	      'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' |
	      'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32'
            )

  SIGNAL PEER = 'peer' '=' AARE

eg.
  signal,                                 # allow all signals
  signal send set=(hup, kill) peer=foo,
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

Reported-by: NDavid Binderman <dcb314@hotmail.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

We accidentally forgot to set the error code on this path.  It means we
return NULL instead of an error pointer.  I looked through a bunch of
callers and I don't think it really causes a big issue, but the
documentation says we're supposed to return error pointers here.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

verify_header() is currently checking whether interface version is less
than 5 *and* greater than 7, which always evaluates to false. Instead it
should check whether it is less than 5 *or* greater than 7.
Signed-off-by: NChristos Gkekas <chris.gekas@gmail.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

with W=2:

    security/apparmor/policy_unpack.c: In function ‘unpack_trans_table’:
    security/apparmor/policy_unpack.c:469: warning: declaration of ‘pos’ shadows a previous local
    security/apparmor/policy_unpack.c:451: warning: shadowed declaration is here

Rename the old "pos" to "saved_pos" to fix this.

Fixes: 5379a331 ("apparmor: support v7 transition format compatible with label_parse")
Signed-off-by: NGeert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: NSerge Hallyn <serge@hallyn.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Fixes: 8014370f ("apparmor: move path_link mediation to using labels")
Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au>
Acked-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Allow userspace to detect that basic profile policy namespaces are
available.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Update the user interface to support the stacked change_profile transition.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Now that the domain label transition is complete advertise it to
userspace.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

This is a temporary step, towards using the file->ctx for delegation,
and also helps speed up file queries, until the permission lookup
cache is introduced.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The cross check permission helper macros will help simplify code
that does cross task permission checks like ptrace.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Begin moving apparmor to using broader domain labels, that will allow
run time computation of domain type splitting via "stacking" of
profiles into a domain label vec.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Instead of running file revalidation lazily when read/write are called
copy selinux and revalidate the file table on exec. This avoids
extra mediation overhead in read/write and also prevents file handles
being passed through to a grand child unchecked.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Instead of passing multiple booleans consolidate on a single flags
field.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Remove the partially implemented code, until this can be properly
implemented.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The profile names are the same, leverage this.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

There are still a few places where profile replacement fails to update
and a stale profile is used for mediation. Fix this by moving to
accessing the current label through a critical section that will
always ensure mediation is using the current label regardless of
whether the tasks cred has been updated or not.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

There is no reason to have the small stubs that don't use domain
private functions in domain.c, instead move them to lsm.c and make
them static.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The ns name being displayed should go through an ns view lookup.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The data being queried isn't always the current profile and a lookup
relative to the current profile should be done.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The namespace being passed into the replace/remove profiles fns() is
not the view, but the namespace specified by the inode from the
file hook (if present) or the loading tasks ns, if accessing the
top level virtualized load/replace file interface.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>