AppArmor mount rules are encoded into a set of tuples with mounts
being quad and quin null separated element tuple, unmount being a
single, and pivot_root having two elements.
Each mount, umount and pivot_root rule in the policydb begins with
the mount_class which is defined as 0x07.
#define AA_CLASS_MOUNT 7
Followed immediately (no null separation) by its path. Mount rules,
umount and pivot_root rules all follow the class with the mntpnt
match. Mount rules then follow that with the device path match,
the type match, and the mount flags match, finishing off the quad
tuple. If a match to the fs specific options is required a fifth
element for the data match portion is append to the quad tuple. While
umount rules hang their accept infomation off of the <mntpnt> match,
pivot_rules follow it with an <oldroot> match.
All the individual match elements except <flags> are standard pattern
match expressions that are not allowed to match [^\x00] so that
a match can never pass the \x00 separator, until the mount matcher
explicitly transitions between the element. The <flags> element
has a special mapping that is documented in Encoding of the mount
Mount rules uses 4 different flags, one each for mount, umount,
and pivot_root, with a special flag defined for data matches
The accept flag is hung off of the <flags> and <fs specition option>
matches. The <fs specific options> element is always optional and
will only be matched against if the accept flags on the <flags>
match contain the AA_MATCH_CONT flag.