[PATCH openEuler-5.10 34/64] Revert "ima: Add the violation counter to the namespace"

From: Zhang Tianxing zhangtianxing3@huawei.com

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA

--------------------------------

This reverts commit 5622ee15fe4ce66427ae5e4fba87b9aa9673b5dc.

Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Acked-by: Xiu Jianfengxiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- include/linux/ima.h | 1 - security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 ++-- security/integrity/ima/ima_init.c | 1 - security/integrity/ima/ima_ns.c | 1 - security/integrity/ima/ima_queue.c | 1 + 7 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h index cfdd1280daff..12738e37f714 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -234,7 +234,6 @@ struct ima_namespace { struct integrity_iint_tree *iint_tree; struct list_head ns_measurements; atomic_long_t ml_len; /* number of stored measurements in the list */ - atomic_long_t violations; } __randomize_layout;

extern struct ima_namespace init_ima_ns; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index fce3fc065027..59d1afb3934d 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -191,6 +191,7 @@ extern spinlock_t ima_htable_lock;

struct ima_h_table { atomic_long_t len; /* number of stored measurements in the list */ + atomic_long_t violations; struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE]; }; extern struct ima_h_table ima_htable; diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 5921922d6930..6724ee072cd9 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -171,7 +171,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, event_data.ns_id = get_ns_id(ima_ns);

/* can overflow, only indicator */ - atomic_long_inc(&ima_ns->violations); + atomic_long_inc(&ima_htable.violations);

result = ima_alloc_init_template(&event_data, &entry, NULL); if (result < 0) { diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index bda35e2bb45c..b5d45a67a261 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -61,7 +61,7 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf, struct ima_namespace *ima_ns = get_current_ns();

if (filp->f_path.dentry == violations) - val = &ima_ns->violations; + val = &ima_htable.violations; else if (filp->f_path.dentry == runtime_measurements_count) val = (ima_ns == &init_ima_ns) ? &ima_ml_len : &ima_ns->ml_len; #ifdef CONFIG_IMA_DIGEST_LIST @@ -650,7 +650,7 @@ int __init ima_fs_init(void) goto out;

violations = - securityfs_create_file("violations", S_IRUSR | S_IRGRP | S_IROTH, + securityfs_create_file("violations", S_IRUSR | S_IRGRP, ima_dir, NULL, &ima_htable_value_ops); if (IS_ERR(violations)) goto out; diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 923373a12f5c..99b9643e6763 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -37,7 +37,6 @@ struct ima_namespace init_ima_ns = { .iint_tree = &init_iint_tree, .ns_measurements = LIST_HEAD_INIT(init_ima_ns.ns_measurements), .ml_len = ATOMIC_LONG_INIT(0), - .violations = ATOMIC_LONG_INIT(0), }; EXPORT_SYMBOL(init_ima_ns);

diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c index 26c9bcd5ff74..2a4b7a23f9a7 100644 --- a/security/integrity/ima/ima_ns.c +++ b/security/integrity/ima/ima_ns.c @@ -128,7 +128,6 @@ static struct ima_namespace *clone_ima_ns(struct user_namespace *user_ns, ns->ucounts = ucounts; ns->frozen = false; atomic_long_set(&ns->ml_len, 0); - atomic_long_set(&ns->violations, 0);

rwlock_init(&ns->iint_tree->lock); ns->iint_tree->root = RB_ROOT; diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index e9a88910d726..89b9c3734890 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -38,6 +38,7 @@ DEFINE_SPINLOCK(ima_htable_lock); /* key: inode (before secure-hashing a file) */ struct ima_h_table ima_htable = { .len = ATOMIC_LONG_INIT(0), + .violations = ATOMIC_LONG_INIT(0), .queue[0 ... IMA_MEASURE_HTABLE_SIZE - 1] = HLIST_HEAD_INIT };