--- /dev/null
+From: John Johansen <jjohansen@suse.de>
+Subject: Call lsm hook before unhashing dentry in vfs_rmdir()
+
+If we unhash the dentry before calling the security_inode_rmdir hook,
+we cannot compute the file's pathname in the hook anymore. AppArmor
+needs to know the filename in order to decide whether a file may be
+deleted, though.
+
+Signed-off-by: John Johansen <jjohansen@suse.de>
+Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
+
+---
+ fs/namei.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2177,6 +2177,10 @@ int vfs_rmdir(struct inode *dir, struct
+ if (!dir->i_op || !dir->i_op->rmdir)
+ return -EPERM;
+
++ error = security_inode_rmdir(dir, dentry, mnt);
++ if (error)
++ return error;
++
+ DQUOT_INIT(dir);
+
+ mutex_lock(&dentry->d_inode->i_mutex);
+@@ -2184,12 +2188,9 @@ int vfs_rmdir(struct inode *dir, struct
+ if (d_mountpoint(dentry))
+ error = -EBUSY;
+ else {
+- error = security_inode_rmdir(dir, dentry, mnt);
+- if (!error) {
+- error = dir->i_op->rmdir(dir, dentry);
+- if (!error)
+- dentry->d_inode->i_flags |= S_DEAD;
+- }
++ error = dir->i_op->rmdir(dir, dentry);
++ if (!error)
++ dentry->d_inode->i_flags |= S_DEAD;
+ }
+ mutex_unlock(&dentry->d_inode->i_mutex);
+ if (!error) {