Construct a nameidata object and pass it down to permission(), so
that we can do the proper mount flag checks there.

Note that confining nfsd with AppArmor makes no sense, and so this
patch is not necessary for AppArmor alone.

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>

---
 fs/nfsd/vfs.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1804,6 +1804,7 @@ nfsd_statfs(struct svc_rqst *rqstp, stru
 __be32
 nfsd_permission(struct svc_export *exp, struct dentry *dentry, int acc)
 {
+	struct nameidata2 nd;
 	struct inode	*inode = dentry->d_inode;
 	int		err;
 
@@ -1869,12 +1870,16 @@ nfsd_permission(struct svc_export *exp, 
 	    inode->i_uid == current->fsuid)
 		return 0;
 
-	err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), NULL);
+	nd.dentry = dentry;
+	nd.mnt = exp->ex_mnt;
+	nd.flags = LOOKUP_ACCESS;
+
+	err = permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC), &nd);
 
 	/* Allow read access to binaries even when mode 111 */
 	if (err == -EACCES && S_ISREG(inode->i_mode) &&
 	    acc == (MAY_READ | MAY_OWNER_OVERRIDE))
-		err = permission(inode, MAY_EXEC, NULL);
+		err = permission(inode, MAY_EXEC, &nd);
 
 	return err? nfserrno(err) : 0;
 }

--