[PATCH openEuler-5.10 33/64] Revert "ima: Change the owning user namespace of the ima namespace if necessary"

From: Zhang Tianxing zhangtianxing3@huawei.com

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA

--------------------------------

This reverts commit 2098d7b55941526b07dedc6b2ad7541b4073d0ff.

Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Acked-by: Xiu Jianfengxiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- include/linux/ima.h | 6 ++--- kernel/nsproxy.c | 2 +- security/integrity/ima/ima_ns.c | 42 ++++++--------------------------- 3 files changed, 10 insertions(+), 40 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h index 91c637c943ed..cfdd1280daff 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -246,8 +246,7 @@ struct ima_namespace *copy_ima_ns(unsigned long flags,

void free_ima_ns(struct kref *kref);

-int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk, - struct user_namespace *user_ns); +int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk);

static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns) { @@ -270,8 +269,7 @@ static inline struct ima_namespace *copy_ima_ns(unsigned long flags, }

static inline int imans_on_fork(struct nsproxy *nsproxy, - struct task_struct *tsk, - struct user_namespace *user_ns) + struct task_struct *tsk) { return 0; } diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 277ae1fadafe..22b24123d524 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -204,7 +204,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) return ret; }

- ret = imans_on_fork(new_ns, tsk, user_ns); + ret = imans_on_fork(new_ns, tsk); if (ret) { free_nsproxy(new_ns); return ret; diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c index ac000920d486..26c9bcd5ff74 100644 --- a/security/integrity/ima/ima_ns.c +++ b/security/integrity/ima/ima_ns.c @@ -93,24 +93,6 @@ static void ima_set_ns_policy(struct ima_namespace *ima_ns, ima_init_ns_policy(ima_ns, &setup_data); }

-static int ima_swap_user_ns(struct ima_namespace *ima_ns, - struct user_namespace *user_ns) -{ - struct ucounts *ucounts; - - dec_ima_namespaces(ima_ns->ucounts); - put_user_ns(ima_ns->user_ns); - - ucounts = inc_ima_namespaces(user_ns); - if (!ucounts) - return -ENOSPC; - - ima_ns->user_ns = get_user_ns(user_ns); - ima_ns->ucounts = ucounts; - - return 0; -} - /** * Clone a new ns copying an original ima namespace, setting refcount to 1 * @@ -370,33 +352,23 @@ static int imans_install(struct nsset *nsset, struct ns_common *new) return res; }

-int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk, - struct user_namespace *user_ns) +int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk) { int res; - struct ima_namespace *ima_ns = nsproxy->ima_ns_for_children; + struct ns_common *nsc = &nsproxy->ima_ns_for_children->ns; + struct ima_namespace *ns = to_ima_ns(nsc);

/* create_new_namespaces() already incremented the ref counter */ - if (nsproxy->ima_ns == ima_ns) + if (nsproxy->ima_ns == nsproxy->ima_ns_for_children) return 0;

- /* It's possible that the user first unshares the IMA namespace and - * then creates a new user namespace on clone3(). In that case swap - * user namespace for the "current" one. - */ - if (ima_ns->user_ns != user_ns) { - res = ima_swap_user_ns(ima_ns, user_ns); - if (res) - return res; - } - - res = imans_activate(ima_ns); + res = imans_activate(ns); if (res) return res;

- get_ima_ns(ima_ns); + get_ima_ns(ns); put_ima_ns(nsproxy->ima_ns); - nsproxy->ima_ns = ima_ns; + nsproxy->ima_ns = ns;

return res; }