mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
From: Andreas Gruenbacher <agruen@suse.de>
|
|
Subject: Pass nameidata2 to permission() from nfsd_permission()
|
|
|
|
Construct a nameidata object and pass it down to permission(), so
|
|
that we can do the proper mount flag checks there.
|
|
|
|
Note that confining nfsd with AppArmor makes no sense, and so this
|
|
patch is not necessary for AppArmor alone.
|
|
|
|
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
|
|
Signed-off-by: John Johansen <jjohansen@suse.de>
|
|
|
|
---
|
|
fs/nfsd/vfs.c | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
--- a/fs/nfsd/vfs.c
|
|
+++ b/fs/nfsd/vfs.c
|
|
@@ -1804,6 +1804,7 @@ nfsd_statfs(struct svc_rqst *rqstp, stru
|
|
__be32
|
|
nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc)
|
|
{
|
|
+ struct nameidata2 nd;
|
|
struct inode *inode = dentry->d_inode;
|
|
int err;
|
|
|
|
@@ -1869,12 +1870,16 @@ nfsd_permission(struct svc_export *exp,
|
|
inode->i_uid == current->fsuid)
|
|
return 0;
|
|
|
|
- err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), NULL);
|
|
+ nd.dentry = dentry;
|
|
+ nd.mnt = exp->ex_mnt;
|
|
+ nd.flags = LOOKUP_ACCESS;
|
|
+
|
|
+ err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), &nd);
|
|
|
|
/* Allow read access to binaries even when mode 111 */
|
|
if (err == -EACCES && S_ISREG(inode->i_mode) &&
|
|
acc == (MAY_READ | MAY_OWNER_OVERRIDE))
|
|
- err = permission(inode, MAY_EXEC, NULL);
|
|
+ err = permission(inode, MAY_EXEC, &nd);
|
|
|
|
return err? nfserrno(err) : 0;
|
|
}
|