--- /dev/null
+From: Tony Jones <tonyj@suse.de>
+Subject: Pass struct vfsmount to the inode_setattr LSM hook
+
+This is needed for computing pathnames in the AppArmor LSM.
+
+Signed-off-by: Tony Jones <tonyj@suse.de>
+Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: John Johansen <jjohansen@suse.de>
+
+---
+ fs/attr.c | 4 ++--
+ fs/fat/file.c | 2 +-
+ include/linux/security.h | 10 +++++++---
+ security/capability.c | 3 ++-
+ security/security.c | 5 +++--
+ security/selinux/hooks.c | 5 +++--
+ security/smack/smack_lsm.c | 3 ++-
+ 7 files changed, 20 insertions(+), 12 deletions(-)
+
+--- a/fs/attr.c
++++ b/fs/attr.c
+@@ -164,13 +164,13 @@ int notify_change(struct dentry *dentry,
+ down_write(&dentry->d_inode->i_alloc_sem);
+
+ if (inode->i_op && inode->i_op->setattr) {
+- error = security_inode_setattr(dentry, attr);
++ error = security_inode_setattr(dentry, mnt, attr);
+ if (!error)
+ error = inode->i_op->setattr(dentry, attr);
+ } else {
+ error = inode_change_ok(inode, attr);
+ if (!error)
+- error = security_inode_setattr(dentry, attr);
++ error = security_inode_setattr(dentry, mnt, attr);
+ if (!error) {
+ if ((ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid) ||
+ (ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid))
+--- a/fs/fat/file.c
++++ b/fs/fat/file.c
+@@ -98,7 +98,7 @@ int fat_generic_ioctl(struct inode *inod
+ * out the RO attribute for checking by the security
+ * module, just because it maps to a file mode.
+ */
+- err = security_inode_setattr(filp->f_path.dentry, &ia);
++ err = security_inode_setattr(filp->f_path.dentry, filp->f_path.mnt, &ia);
+ if (err)
+ goto up;
+
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -412,6 +412,7 @@ static inline void security_free_mnt_opt
+ * file attributes change (such as when a file is truncated, chown/chmod
+ * operations, transferring disk quotas, etc).
+ * @dentry contains the dentry structure for the file.
++ * @mnt is the vfsmount corresponding to @dentry (may be NULL).
+ * @attr is the iattr structure containing the new file attributes.
+ * Return 0 if permission is granted.
+ * @inode_getattr:
+@@ -1371,7 +1372,8 @@ struct security_operations {
+ int (*inode_readlink) (struct dentry *dentry);
+ int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
+ int (*inode_permission) (struct inode *inode, int mask);
+- int (*inode_setattr) (struct dentry *dentry, struct iattr *attr);
++ int (*inode_setattr) (struct dentry *dentry, struct vfsmount *,
++ struct iattr *attr);
+ int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
+ void (*inode_delete) (struct inode *inode);
+ int (*inode_setxattr) (struct dentry *dentry, const char *name,
+@@ -1638,7 +1640,8 @@ int security_inode_rename(struct inode *
+ int security_inode_readlink(struct dentry *dentry);
+ int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
+ int security_inode_permission(struct inode *inode, int mask);
+-int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
++int security_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
++ struct iattr *attr);
+ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
+ void security_inode_delete(struct inode *inode);
+ int security_inode_setxattr(struct dentry *dentry, const char *name,
+@@ -2041,7 +2044,8 @@ static inline int security_inode_permiss
+ }
+
+ static inline int security_inode_setattr(struct dentry *dentry,
+- struct iattr *attr)
++ struct vfsmount *mnt,
++ struct iattr *attr)
+ {
+ return 0;
+ }
+--- a/security/capability.c
++++ b/security/capability.c
+@@ -216,7 +216,8 @@ static int cap_inode_permission(struct i
+ return 0;
+ }
+
+-static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr)
++static int cap_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
++ struct iattr *iattr)
+ {
+ return 0;
+ }
+--- a/security/security.c
++++ b/security/security.c
+@@ -441,11 +441,12 @@ int security_inode_permission(struct ino
+ return security_ops->inode_permission(inode, mask);
+ }
+
+-int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
++int security_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
++ struct iattr *attr)
+ {
+ if (unlikely(IS_PRIVATE(dentry->d_inode)))
+ return 0;
+- return security_ops->inode_setattr(dentry, attr);
++ return security_ops->inode_setattr(dentry, mnt, attr);
+ }
+ EXPORT_SYMBOL_GPL(security_inode_setattr);
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2656,11 +2656,12 @@ static int selinux_inode_permission(stru
+ open_file_mask_to_av(inode->i_mode, mask), NULL);
+ }
+
+-static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
++static int selinux_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
++ struct iattr *iattr)
+ {
+ int rc;
+
+- rc = secondary_ops->inode_setattr(dentry, iattr);
++ rc = secondary_ops->inode_setattr(dentry, mnt, iattr);
+ if (rc)
+ return rc;
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -559,7 +559,8 @@ static int smack_inode_permission(struct
+ *
+ * Returns 0 if access is permitted, an error code otherwise
+ */
+-static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
++static int smack_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
++ struct iattr *iattr)
+ {
+ /*
+ * Need to allow for clearing the setuid bit.