Comment 1 for bug 1208988

Back in the days of AppArmor living out-of-tree, it implemented the inode_permission LSM hook. In the upstreamed version of AppArmor, the inode_permission hook is not implemented. That's why mediation occurred back then but not now.

Back then, nameidata was passed to inode_permission, which allowed AppArmor to get to the dentry and vfsmount. Today, nameidata is gone and only the inode is available in inode_permission, making it difficult to simply reintroduce apparmor_inode_permission().

The unix_stream_connect LSM hook may be viable. Using the sock, we could do something similar to unix_getname() to get a buffer containing the path. However, John says that the path may not be valid for the current namespace.