[apparmor] mount rules

[John Johansen]

So the question is basically what should mount rules look like.  The mount
command is a mess and has tons of options, do we want to mimic it as its
what people will be used to or try for something cleaner.

Basically what I have so far is

  [audit] [deny] mount [options=<options>] [type=<type>] [(<device>|<src>) ->] [<dest>],


eg.

  mount,   #Grant full mount access

  mount type=ext3,   # allow mounting ext3 filesystems anywhere

  mount type={ext*,vfat} /dev/sda2 -> /media/**,  # allow mounting /dev/sda2 if its any ext3 or vfat anywhere in /media/

  mount /media/**,  # allow mounting anything, anywhere in /media/

  mount options={atime,auto} /media/**,

  mount /foo/ -> /bar/,



eg. Allow mounting anything unless it is procfs, sysfs,

  mount,
  deny mount type=procfs,
  deny mount type=sysfs,

or the two deny rules could be combined into a single rule
  deny mount type={procfs,sysfs},


Assuming this syntax is acceptable there are still a lot of open questions
- do we want to cover remounts and moves with these rules, or do we want
  a separate flag, or rule to indicate what a move can do

- how do we want to cover umount, anything you can mount you can unmount or
  do we want a separate flag or permission.

- what of options like exec/noexec, ro/rw.  Do we want to stick with mount
  style syntax or an apparmor flags syntax.
  Eg.
    ro would map to apparmor r,
    exec would be apparmor x,   noexec would be the rule not having the x
    ...

- how do we want to express other mount flags.
  Eg.
    --bind, --rbind, --make-shared, ...

  Do we specify them in the same way mount does
     mount --bind /foo/ -> /bar/,

  Do we reuse, the type field when an fstype can't be specified.
     mount type=bind  /foo/ -> /bar/,

  Do we use an apparmor style permission flag
     mount /foo/ -> /bar/  (r,x,bind),