Encoding of Path information for Mount rules
- AppArmor Technical documentation
- Encoding of Rule Paths - DRAFT
- Encoding of File Rule Paths - DRAFT
- Encoding of Network Rule Paths - DRAFT
- Encoding of DBus Rule Paths - DRAFT
- Encoding of X Window Rule Paths - DRAFT
Encoding of mount rule paths
AppArmor mount rules are encoded into a set of tuples with mounts being quad and quin null separated element tuple, unmount being a single, and pivot_root having two elements.
Each mount, umount and pivot_root rule in the policydb begins with the mount_class which is defined as 0x07.
#define AA_CLASS_MOUNT 7
Followed immediately (no null separation) by its path. Mount rules, umount and pivot_root rules all follow the class with the mntpnt match. Mount rules then follow that with the device path match, the type match, and the mount flags match, finishing off the quad tuple. If a match to the fs specific options is required a fifth element for the data match portion is append to the quad tuple. While umount rules hang their accept infomation off of the <mntpnt> match, pivot_rules follow it with an <oldroot> match.
This produces a rule path that looks like
mount \x07 <mntpnt> \x00 <device path> \x00 <fstype> \x00 <flags> [ \x00 <fs specific options> ] | | accept accept umount \x07 <mntpnt> | accept
pivot_root \x07 <mntpnt> \x00 <oldroot> | accept
All the individual match elements except <flags> are standard pattern match expressions that are not allowed to match [^\x00] so that a match can never pass the \x00 separator, until the mount matcher explicitly transitions between the element. The <flags> element has a special mapping that is documented in Encoding of the mount flags.
Mount rules uses 4 different flags, one each for mount, umount, and pivot_root, with a special flag defined for data matches
AA_MAY_PIVOTROOT 1 AA_MAY_MOUNT 2 AA_MAY_UMOUNT 4 AA_MATCH_CONT 0x40
The accept flag is hung off of the <flags> and <fs specition option> matches. The <fs specific options> element is always optional and will only be matched against if the accept flags on the <flags> match contain the AA_MATCH_CONT flag.