From: Zhang Tianxing zhangtianxing3@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA
--------------------------------
This reverts commit a1f9c162b7fa1a183921a3b4286c74a3c01fc307.
Signed-off-by: Zhang Tianxing zhangtianxing3@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Acked-by: Xiu Jianfengxiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- include/linux/ima.h | 1 - security/integrity/ima/ima.h | 7 ++----- security/integrity/ima/ima_api.c | 12 +++++------- security/integrity/ima/ima_init.c | 4 +--- security/integrity/ima/ima_main.c | 3 +-- security/integrity/ima/ima_ns.c | 1 - security/integrity/ima/ima_queue.c | 11 ++++------- 7 files changed, 13 insertions(+), 26 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h index 0ab1dbf34c47..d7b2864d7d7c 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -232,7 +232,6 @@ struct ima_namespace { bool frozen; struct ima_policy_data *policy_data; struct integrity_iint_tree *iint_tree; - struct list_head ns_measurements; } __randomize_layout;
extern struct ima_namespace init_ima_ns; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f515a4405641..9086c261f0d7 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -119,7 +119,6 @@ struct ima_template_entry { struct ima_queue_entry { struct hlist_node hnext; /* place in hash collision list */ struct list_head later; /* place in ima_measurements list */ - struct list_head ns_later; /* place in ima namespace list */ struct ima_template_entry *entry; }; extern struct list_head ima_measurements; /* list of all measurements */ @@ -152,8 +151,7 @@ int ima_init(void); int ima_fs_init(void); int ima_add_template_entry(struct ima_template_entry *entry, int violation, const char *op, struct inode *inode, - const unsigned char *filename, - struct ima_namespace *ima_ns); + const unsigned char *filename); int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); int ima_calc_buffer_hash(const void *buf, loff_t len, struct ima_digest_data *hash); @@ -295,8 +293,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data, struct ima_template_desc *template_desc); int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, const unsigned char *filename, - int pcr, struct ima_digest *digest, - struct ima_namespace *ima_ns); + int pcr, struct ima_digest *digest); void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 6724ee072cd9..2678faaa7a15 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -104,8 +104,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data, int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, const unsigned char *filename, int pcr, - struct ima_digest *digest, - struct ima_namespace *ima_ns) + struct ima_digest *digest) { static const char op[] = "add_template_measure"; static const char audit_cause[] = "hashing_error"; @@ -135,11 +134,10 @@ int ima_store_template(struct ima_template_entry *entry, }
entry->pcr = pcr; - result = ima_add_template_entry(entry, violation, op, inode, filename, - ima_ns); + result = ima_add_template_entry(entry, violation, op, inode, filename); if (!result && duplicated_entry) { result = ima_add_template_entry(duplicated_entry, violation, op, - inode, filename, ima_ns); + inode, filename); if (result < 0) kfree(duplicated_entry); } @@ -179,7 +177,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, goto err_out; } result = ima_store_template(entry, violation, inode, filename, - CONFIG_IMA_MEASURE_PCR_IDX, NULL, ima_ns); + CONFIG_IMA_MEASURE_PCR_IDX, NULL); if (result < 0) ima_free_template_entry(entry); err_out: @@ -366,7 +364,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, }
result = ima_store_template(entry, violation, inode, filename, pcr, - digest, ima_ns); + digest); out: if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) { iint->flags |= IMA_MEASURED; diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 00c8dfea6ba8..52b675d47177 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -35,7 +35,6 @@ struct ima_namespace init_ima_ns = { .frozen = true, .policy_data = &init_policy_data, .iint_tree = &init_iint_tree, - .ns_measurements = LIST_HEAD_INIT(init_ima_ns.ns_measurements), }; EXPORT_SYMBOL(init_ima_ns);
@@ -105,8 +104,7 @@ static int __init ima_add_boot_aggregate(void)
result = ima_store_template(entry, violation, NULL, boot_aggregate_name, - CONFIG_IMA_MEASURE_PCR_IDX, NULL, - &init_ima_ns); + CONFIG_IMA_MEASURE_PCR_IDX, NULL); if (result < 0) { ima_free_template_entry(entry); audit_cause = "store_entry"; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 612c5e29cd85..9da27ab3b360 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1078,8 +1078,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, goto out; }
- ret = ima_store_template(entry, violation, NULL, buf, pcr, NULL, - ima_ns); + ret = ima_store_template(entry, violation, NULL, buf, pcr, NULL); if (ret < 0) { audit_cause = "store_entry"; ima_free_template_entry(entry); diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c index a6197c708f3a..04aa50473971 100644 --- a/security/integrity/ima/ima_ns.c +++ b/security/integrity/ima/ima_ns.c @@ -130,7 +130,6 @@ static struct ima_namespace *clone_ima_ns(struct user_namespace *user_ns, rwlock_init(&ns->iint_tree->lock); ns->iint_tree->root = RB_ROOT;
- INIT_LIST_HEAD(&ns->ns_measurements); INIT_LIST_HEAD(&ns->policy_data->ima_default_rules); INIT_LIST_HEAD(&ns->policy_data->ima_policy_rules); INIT_LIST_HEAD(&ns->policy_data->ima_temp_rules); diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 673fd95c8d33..c096ef8945c7 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -91,8 +91,7 @@ static int get_binary_runtime_size(struct ima_template_entry *entry) * (Called with ima_extend_list_mutex held.) */ static int ima_add_digest_entry(struct ima_template_entry *entry, - bool update_htable, - struct ima_namespace *ima_ns) + bool update_htable) { struct ima_queue_entry *qe; unsigned int key; @@ -106,7 +105,6 @@ static int ima_add_digest_entry(struct ima_template_entry *entry,
INIT_LIST_HEAD(&qe->later); list_add_tail_rcu(&qe->later, &ima_measurements); - list_add_tail_rcu(&qe->ns_later, &ima_ns->ns_measurements);
atomic_long_inc(&ima_htable.len); if (update_htable) { @@ -160,8 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) */ int ima_add_template_entry(struct ima_template_entry *entry, int violation, const char *op, struct inode *inode, - const unsigned char *filename, - struct ima_namespace *ima_ns) + const unsigned char *filename) { u8 *digest = entry->digests[ima_hash_algo_idx].digest; struct tpm_digest *digests_arg = entry->digests; @@ -179,7 +176,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, } }
- result = ima_add_digest_entry(entry, 1, ima_ns); + result = ima_add_digest_entry(entry, 1); if (result < 0) { audit_cause = "ENOMEM"; audit_info = 0; @@ -208,7 +205,7 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry) int result = 0;
mutex_lock(&ima_extend_list_mutex); - result = ima_add_digest_entry(entry, 0, &init_ima_ns); + result = ima_add_digest_entry(entry, 0); mutex_unlock(&ima_extend_list_mutex); return result; }