Construct a nameidata object and pass it down to permission(), so
that we can do the proper mount flag checks there.

Note that confining nfsd with AppArmor makes no sense, and so this
patch is not necessary for AppArmor alone.

Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>

---
 fs/nfsd/vfs.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1804,6 +1804,7 @@ nfsd_statfs(struct svc_rqst *rqstp, stru
 __be32
 nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc)
 {
+       struct nameidata2 nd;
        struct inode    *inode = dentry->d_inode;
        int             err;
 
@@ -1869,12 +1870,16 @@ nfsd_permission(struct svc_export *exp, 
            inode->i_uid == current->fsuid)
                return 0;
 
-       err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), NULL);
+       nd.dentry = dentry;
+       nd.mnt = exp->ex_mnt;
+       nd.flags = LOOKUP_ACCESS;
+
+       err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), &nd);
 
        /* Allow read access to binaries even when mode 111 */
        if (err == -EACCES && S_ISREG(inode->i_mode) &&
            acc == (MAY_READ | MAY_OWNER_OVERRIDE))
-               err = permission(inode, MAY_EXEC, NULL);
+               err = permission(inode, MAY_EXEC, &nd);
 
        return err? nfserrno(err) : 0;
 }

-- 
-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to