From: Zhang Tianxing zhangtianxing3@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA
--------------------------------
This reverts commit 441a760d555e62b3fc96ba3c8c8ba4c0701a6e23.
Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Acked-by: Xiu Jianfengxiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- security/integrity/ima/ima.h | 4 ++-- security/integrity/ima/ima_fs.c | 32 +++++--------------------------- 2 files changed, 7 insertions(+), 29 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 59d1afb3934d..b1ab18d88803 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -512,9 +512,9 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, #endif /* CONFIG_IMA_LSM_RULES */
#ifdef CONFIG_IMA_READ_POLICY -#define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR | S_IROTH | S_IWOTH) +#define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) #else -#define POLICY_FILE_FLAGS (S_IWUSR | S_IWOTH) +#define POLICY_FILE_FLAGS S_IWUSR #endif /* CONFIG_IMA_READ_POLICY */
#endif /* __LINUX_IMA_H */ diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index b5d45a67a261..8cba7e1693ce 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -73,18 +73,7 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf, return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); }
-static int ima_open_htable_value(struct inode *inode, struct file *file) -{ - struct ima_namespace *ima_ns = get_current_ns(); - - if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN)) - return -EPERM; - - return 0; -} - static const struct file_operations ima_htable_value_ops = { - .open = ima_open_htable_value, .read = ima_show_htable_value, .llseek = generic_file_llseek, }; @@ -236,11 +225,6 @@ static const struct seq_operations ima_measurments_seqops = {
static int ima_measurements_open(struct inode *inode, struct file *file) { - struct ima_namespace *ima_ns = get_current_ns(); - - if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN)) - return -EPERM; - return seq_open(file, &ima_measurments_seqops); }
@@ -307,11 +291,6 @@ static const struct seq_operations ima_ascii_measurements_seqops = {
static int ima_ascii_measurements_open(struct inode *inode, struct file *file) { - struct ima_namespace *ima_ns = get_current_ns(); - - if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN)) - return -EPERM; - return seq_open(file, &ima_ascii_measurements_seqops); }
@@ -528,7 +507,6 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp) const struct seq_operations *seq_ops = NULL; enum ima_fs_flags flag = ima_get_dentry_flag(dentry); bool read_allowed = false; - struct ima_namespace *ima_ns = get_current_ns();
if (dentry == ima_policy) { #ifdef CONFIG_IMA_READ_POLICY @@ -542,10 +520,10 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp) return -EACCES; if ((filp->f_flags & O_ACCMODE) != O_RDONLY) return -EACCES; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; return seq_open(filp, seq_ops); } - if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN)) - return -EPERM; if (test_and_set_bit(flag, &ima_fs_flags)) return -EBUSY;
@@ -630,21 +608,21 @@ int __init ima_fs_init(void)
binary_runtime_measurements = securityfs_create_file("binary_runtime_measurements", - S_IRUSR | S_IRGRP | S_IROTH, ima_dir, NULL, + S_IRUSR | S_IRGRP, ima_dir, NULL, &ima_measurements_ops); if (IS_ERR(binary_runtime_measurements)) goto out;
ascii_runtime_measurements = securityfs_create_file("ascii_runtime_measurements", - S_IRUSR | S_IRGRP | S_IROTH, ima_dir, NULL, + S_IRUSR | S_IRGRP, ima_dir, NULL, &ima_ascii_measurements_ops); if (IS_ERR(ascii_runtime_measurements)) goto out;
runtime_measurements_count = securityfs_create_file("runtime_measurements_count", - S_IRUSR | S_IRGRP | S_IROTH, ima_dir, NULL, + S_IRUSR | S_IRGRP, ima_dir, NULL, &ima_htable_value_ops); if (IS_ERR(runtime_measurements_count)) goto out;