Back in the days of AppArmor living out-of-tree, it implemented the inode_permission LSM hook. In the upstreamed version of AppArmor, the inode_permission hook is not implemented. That's why mediation occurred back then but not now.
Back then, nameidata was passed to inode_permission, which allowed AppArmor to get to the dentry and vfsmount. Today, nameidata is gone and only the inode is available in inode_permission, making it difficult to simply reintroduce apparmor_inode_permission().
The unix_stream_connect LSM hook may be viable. Using the sock, we could do something similar to unix_getname() to get a buffer containing the path. However, John says that the path may not be valid for the current namespace.
Back in the days of AppArmor living out-of-tree, it implemented the inode_permission LSM hook. In the upstreamed version of AppArmor, the inode_permission hook is not implemented. That's why mediation occurred back then but not now.
Back then, nameidata was passed to inode_permission, which allowed AppArmor to get to the dentry and vfsmount. Today, nameidata is gone and only the inode is available in inode_permission, making it difficult to simply reintroduce apparmor_ inode_permissio n().
The unix_stream_connect LSM hook may be viable. Using the sock, we could do something similar to unix_getname() to get a buffer containing the path. However, John says that the path may not be valid for the current namespace.