UBUNTU: SAUCE: apparmor: Add the ability to mediate mount

Add the ability for apparmor to do mediation of mount operations. Mount
rules require an updated apparmor_parser (2.8 series) for policy compilation.

The basic form of the rules are.

  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
  [audit] [deny] remount [conds]* [path],
  [audit] [deny] umount [conds]* [path],
  [audit] [deny] pivotroot [oldroot=<value>] <path>

  remount is just a short cut for mount options=remount

  where [conds] can be
    fstype=<expr>
    options=<expr>

Example mount commands
  mount,		# allow all mounts, but not umount or pivotroot

  mount fstype=procfs,  # allow mounting procfs anywhere

  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount

  mount /dev/sda -> /mnt,

  mount /dev/sd** -> /mnt/**,

  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/

  umount,

  umount /m*,

See the apparmor userspace for full documentation

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 40aedd9f73e..e243d96ddbd 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -29,8 +29,9 @@
 #define AA_CLASS_NET		4
 #define AA_CLASS_RLIMITS	5
 #define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
 
-#define AA_CLASS_LAST		AA_CLASS_DOMAIN
+#define AA_CLASS_LAST		AA_CLASS_MOUNT
 
 /* Control parameters settable through module/boot flags */
 extern enum audit_mode aa_g_audit;