Update permission mapping for changes made to the upstream kernel patch.

The changes are around how user data is handled.

1. permissions are mapped before data is matched
2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions
   which allows data matching to continue.
3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set

This allows better control over matching and auditing of data which can
be binary and should not be matched or audited

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

parser/mount.h

@@ -103,8 +103,10 @@
 #define AA_MAY_PIVOTROOT 1
 #define AA_MAY_MOUNT 2
 #define AA_MAY_UMOUNT 4
-#define AA_DUMMY_REMOUNT 32	/* dummy perm for remount rule - is remapped
+#define AA_MATCH_CONT 0x40
-				 * to a mount option*/
+#define AA_AUDIT_MNT_DATA AA_MATCH_CONT
+#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
+					 * remapped to a mount option*/
 
 
 struct mnt_entry {

parser/parser_regex.c

@@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 
 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
 	    && !entry->device && !entry->dev_type) {
+		int allow;
 		/* remount can't be conditional on device and type */
 		p = mntbuf;
 		/* rule class single byte header */
@@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		vec[3] = flagsbuf;
 		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
 			goto fail;
-		vec[4] = optsbuf;
+
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+		if (entry->opts)
-				       entry->audit, 5, vec, dfaflags))
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
 	    && !entry->dev_type && !entry->opts) {
@@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 	}
 	if ((entry->allow & AA_MAY_MOUNT) &&
 	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
+		int allow;
 		/* generic mount if flags are set that are not covered by
 		 * above commands
 		 */
@@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+
-			goto fail;
+		if (entry->opts)
-		vec[4] = optsbuf;
+			allow = AA_MATCH_CONT;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+		else
-				       entry->audit, 5, vec, dfaflags))
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if (entry->allow & AA_MAY_UMOUNT) {
 		p = mntbuf;