From: Jeff Mahoney <jeffm@suse.com>
Subject: [PATCH] apparmor: convert apparmor_inode_permission to path

 patches.apparmor/add-security_path_permission added the ->path_permission
 call. This patch converts apparmor_inode_permission to
 apparmor_path_permission. The former is now a pass-all, which is how
 it behaved in 2.6.26 if a NULL nameidata was passed.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
 security/apparmor/lsm.c |   41 +++++++++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 14 deletions(-)

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -448,21 +448,9 @@ out:
 	return error;
 }
 
-static int apparmor_inode_permission(struct inode *inode, int mask,
-				     struct nameidata *nd)
+static int apparmor_inode_permission(struct inode *inode, int mask)
 {
-	int check = 0;
-
-	if (!nd || nd->flags & (LOOKUP_PARENT | LOOKUP_CONTINUE))
-		return 0;
-	mask = aa_mask_permissions(mask);
-	if (S_ISDIR(inode->i_mode)) {
-		check |= AA_CHECK_DIR;
-		/* allow traverse accesses to directories */
-		mask &= ~MAY_EXEC;
-	}
-	return aa_permission("inode_permission", inode, nd->dentry, nd->mnt,
-			     mask, check);
+	return 0;
 }
 
 static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
@@ -656,6 +644,29 @@ static int apparmor_file_mprotect(struct
 		       !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
 }
 
+static int apparmor_path_permission(struct path *path, int mask)
+{
+	struct inode *inode;
+	int check = 0;
+
+	if (!path)
+		return 0;
+
+	inode = path->dentry->d_inode;
+
+	mask = aa_mask_permissions(mask);
+	if (S_ISDIR(inode->i_mode)) {
+		check |= AA_CHECK_DIR;
+		/* allow traverse accesses to directories */
+		mask &= ~MAY_EXEC;
+		if (!mask)
+			return 0;
+	}
+
+	return aa_permission("inode_permission", inode, path->dentry,
+			     path->mnt, mask, check);
+}
+
 static int apparmor_task_alloc_security(struct task_struct *task)
 {
 	return aa_clone(task);
@@ -800,6 +811,8 @@ struct security_operations apparmor_ops
 	.file_mprotect =		apparmor_file_mprotect,
 	.file_lock =			apparmor_file_lock,
 
+	.path_permission =		apparmor_path_permission,
+
 	.task_alloc_security =		apparmor_task_alloc_security,
 	.task_free_security =		apparmor_task_free_security,
 	.task_post_setuid =		cap_task_post_setuid,