From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner+w=401wt.eu-S1031166AbXENLge@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1031166AbXENLge (ORCPT <rfc822;w@1wt.eu>);
	Mon, 14 May 2007 07:36:34 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1762440AbXENLcx
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Mon, 14 May 2007 07:32:53 -0400
Received: from 213.210.179.104.adsl.nextra.cz ([213.210.179.104]:27935 "EHLO
	duck8.pdx.novell.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1758433AbXENLc3 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 14 May 2007 07:32:29 -0400
Message-Id: <20070514110652.276911867@suse.de>
References: <20070514110650.866217377@suse.de>
User-Agent: quilt/0.46-14
Date: Mon, 14 May 2007 04:06:54 -0700
From: jjohansen@suse.de
To: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org,
       Andreas Gruenbacher <agruen@suse.de>
Subject: [RFD Patch 4/4] Pass nameidata2 to permission() from nfsd_permission()
Content-Disposition: inline; filename=nfsd_permission-nameidata.diff
Sender: linux-kernel-owner@vger.kernel.org
X-Mailing-List: linux-kernel@vger.kernel.org

Construct a nameidata object and pass it down to permission(), so
that we can do the proper mount flag checks there.

Note that confining nfsd with AppArmor makes no sense, and so this
patch is not necessary for AppArmor alone.

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

---
 fs/nfsd/vfs.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1804,6 +1804,7 @@ nfsd_statfs(struct svc_rqst *rqstp, stru
 __be32
 nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc)
 {
+	struct nameidata2 nd;
 	struct inode	*inode = dentry->d_inode;
 	int		err;
 
@@ -1869,12 +1870,16 @@ nfsd_permission(struct svc_export *exp, 
 	    inode->i_uid == current->fsuid)
 		return 0;
 
-	err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), NULL);
+	nd.dentry = dentry;
+	nd.mnt = exp->ex_mnt;
+	nd.flags = LOOKUP_ACCESS;
+
+	err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), &nd);
 
 	/* Allow read access to binaries even when mode 111 */
 	if (err == -EACCES && S_ISREG(inode->i_mode) &&
 	    acc == (MAY_READ | MAY_OWNER_OVERRIDE))
-		err = permission(inode, MAY_EXEC, NULL);
+		err = permission(inode, MAY_EXEC, &nd);
 
 	return err? nfserrno(err) : 0;
 }

--