[PATCH openEuler-5.10 21/64] Revert "ima: Set ML template per ima namespace"

From: Zhang Tianxing zhangtianxing3@huawei.com

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA

--------------------------------

This reverts commit e16e05db4747e24f2fc3dd72c8a903819624baec.

Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Acked-by: Xiu Jianfengxiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- include/linux/ima.h | 1 - security/integrity/ima/ima.h | 2 -- security/integrity/ima/ima_init.c | 1 - security/integrity/ima/ima_ns.c | 30 +-------------------- security/integrity/ima/ima_policy.c | 2 +- security/integrity/ima/ima_template.c | 38 +++++++++------------------ 6 files changed, 15 insertions(+), 59 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h index 5a2dbd8fab6d..f011c6e6aa86 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -240,7 +240,6 @@ struct ima_namespace { #ifdef CONFIG_KEYS struct key_tag *key_domain; #endif - struct ima_template_desc *ima_template; struct task_struct *activating_tsk; /* used only for the ns activation */ } __randomize_layout;

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 6ab515592c62..5b1364eb1477 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -172,10 +172,8 @@ int template_desc_init_fields(const char *template_fmt, const struct ima_template_field ***fields, int *num_fields); struct ima_template_desc *ima_template_desc_current(void); -struct ima_template_desc *ima_template_desc_ns(struct ima_namespace *ima_ns); struct ima_template_desc *lookup_template_desc(const char *name); bool ima_template_has_modsig(const struct ima_template_desc *ima_template); -int ima_template_setup(char *str, struct ima_namespace *ima_ns); int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); int ima_measurements_show(struct seq_file *m, void *v); diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index f4bd3ca98b54..73fb0f0e82c5 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -48,7 +48,6 @@ struct ima_namespace init_ima_ns = { #ifdef CONFIG_KEYS .key_domain = &init_ima_key_domain, #endif - .ima_template = NULL, }; EXPORT_SYMBOL(init_ima_ns);

diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c index 97185b8ed52c..29a1cbdac40d 100644 --- a/security/integrity/ima/ima_ns.c +++ b/security/integrity/ima/ima_ns.c @@ -49,28 +49,6 @@ static void dec_ima_namespaces(struct ucounts *ucounts) return dec_ucount(ucounts, UCOUNT_IMA_NAMESPACES); }

-static int ima_set_ns_template(struct ima_namespace *ima_ns) -{ - int result; - - if (!ima_ns->ima_template) - ima_ns->ima_template = - lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE); - - result = template_desc_init_fields(ima_ns->ima_template->fmt, - &(ima_ns->ima_template->fields), - &(ima_ns->ima_template->num_fields)); - if (result < 0) { - pr_err("template %s init failed, result: %d\n", - (strlen(ima_ns->ima_template->name) ? - ima_ns->ima_template->name : - ima_ns->ima_template->fmt), result); - ima_ns->ima_template = NULL; - } - - return result; -} - static int ima_ns_add_boot_aggregate(struct ima_namespace *ima_ns) { static const char op[] = "ns_add_boot_aggregate"; @@ -267,7 +245,6 @@ static struct ima_namespace *clone_ima_ns(struct user_namespace *user_ns, #endif ns->x509_path_for_children = NULL; ns->policy_setup_for_children = NULL; - ns->ima_template = NULL;

INIT_LIST_HEAD(&ns->ns_measurements); INIT_LIST_HEAD(&ns->policy_data->ima_default_rules); @@ -460,10 +437,6 @@ static int imans_activate(struct ima_namespace *ima_ns) if (ima_ns->frozen) goto out;

- res = ima_set_ns_template(ima_ns); - if (res < 0) - goto out; - ima_set_ns_policy(ima_ns);

ima_ns->frozen = true; @@ -583,11 +556,10 @@ struct ima_kernel_param { int (*set)(char *val, struct ima_namespace *ima_ns); };

-/* TODO: add ima_template_fmt, ima_hash, ... */ +/* TODO: add ima_template, ima_template_fmt, ima_hash, ... */ static const struct ima_kernel_param ima_kernel_params[] = { {"ima_appraise", ima_default_appraise_setup}, {"ima_policy", ima_policy_setup}, - {"ima_template", ima_template_setup}, }; static const size_t ima_kernel_params_size = ARRAY_SIZE(ima_kernel_params);

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 35ec2c8f2069..42bafb520e4e 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -737,7 +737,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, bool fail_unverifiable_sigs;

if (template_desc) - *template_desc = ima_template_desc_ns(ima_ns); + *template_desc = ima_template_desc_current();

rcu_read_lock(); list_for_each_entry_rcu(entry, ima_ns->policy_data->ima_rules, list) { diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index e72497f37bb5..3d6f6e9d530c 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -59,6 +59,8 @@ static const struct ima_template_field supported_fields[] = { */ #define MAX_TEMPLATE_NAME_LEN sizeof("d-ng|n-ng|sig|buf|d-modisg|modsig|ns")

+static struct ima_template_desc *ima_template; + /** * ima_template_has_modsig - Check whether template has modsig-related fields. * @ima_template: IMA template to check. @@ -78,12 +80,12 @@ bool ima_template_has_modsig(const struct ima_template_desc *ima_template) return false; }

-int ima_template_setup(char *str, struct ima_namespace *ima_ns) +static int __init ima_template_setup(char *str) { struct ima_template_desc *template_desc; int template_len = strlen(str);

- if (ima_ns->ima_template) + if (ima_template) return 1;

ima_init_template_list(); @@ -109,21 +111,16 @@ int ima_template_setup(char *str, struct ima_namespace *ima_ns) return 1; }

- ima_ns->ima_template = template_desc; + ima_template = template_desc; return 1; } - -static int __init template_setup(char *str) -{ - return ima_template_setup(str, &init_ima_ns); -} -__setup("ima_template=", template_setup); +__setup("ima_template=", ima_template_setup);

static int __init ima_template_fmt_setup(char *str) { int num_templates = ARRAY_SIZE(builtin_templates);

- if (init_ima_ns.ima_template) + if (ima_template) return 1;

if (template_desc_init_fields(str, NULL, NULL) < 0) { @@ -133,7 +130,7 @@ static int __init ima_template_fmt_setup(char *str) }

builtin_templates[num_templates - 1].fmt = str; - init_ima_ns.ima_template = builtin_templates + num_templates - 1; + ima_template = builtin_templates + num_templates - 1;

return 1; } @@ -250,23 +247,14 @@ void ima_init_template_list(void) spin_unlock(&template_list); }

-struct ima_template_desc *ima_template_desc_ns(struct ima_namespace *ima_ns) +struct ima_template_desc *ima_template_desc_current(void) { - if (!ima_ns) - return NULL; - - if (!ima_ns->ima_template) { + if (!ima_template) { ima_init_template_list(); - ima_ns->ima_template = - lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE); + ima_template = + lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE); } - return ima_ns->ima_template; -} - -struct ima_template_desc *ima_template_desc_current(void) -{ - struct ima_namespace *ima_ns = get_current_ns(); - return ima_template_desc_ns(ima_ns); + return ima_template; }

int __init ima_init_template(void)