Revert "ima: Add a reader counter to the integrity inode data"

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit b80cb82f. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Revert "ima: Add a reader counter to the integrity inode data"
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit b80cb82f. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
0293915e · Zhang Tianxing · Zheng Zengkai · 61443376 · 0293915e · 0293915e
隐藏空白更改
内联并排

Showing with 21 addition and 72 deletion

security/integrity/ima/ima_main.c security/integrity/ima/ima_main.c +21 -54

security/integrity/integrity.h security/integrity/integrity.h +0 -18

未找到文件。
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -30,11 +30,6 @@
 #include "ima.h"
 #include "ima_digest_list.h"
-struct ima_file_data {
-	struct ima_namespace *ima_ns;
-	bool is_readcount;
-};
 int ima_hash_algo = HASH_ALGO_SHA1;
 /* Actions (measure/appraisal) for which digest lists can be used */
@@ -136,8 +131,8 @@ static void ima_rdwr_violation_check(struct file *file,
 				iint = integrity_iint_rb_find(ima_ns->iint_tree,
 							      inode);
 			/* IMA_MEASURE is set from reader side */
-			if (iint && atomic_read(&iint->readcount) &&
+			if (iint && test_bit(IMA_MUST_MEASURE,
-			    test_bit(IMA_MUST_MEASURE, &iint->atomic_flags))
+						&iint->atomic_flags))
 				send_tomtou = true;
 		}
 	} else {
@@ -245,7 +240,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
 {
 	fmode_t mode = file->f_mode;
 	bool update;
-	struct ima_file_data *f_data = (struct ima_file_data *)file->f_ima;
+	struct ima_namespace *ima_ns = (struct ima_namespace *)file->f_ima;
 	if (!(mode & FMODE_WRITE))
 		return;
@@ -260,7 +255,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
 			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
 			iint->measured_pcrs = 0;
-			ima_check_active_ns(f_data->ima_ns, inode);
+			ima_check_active_ns(ima_ns, inode);
 			if (update)
 				ima_update_xattr(iint, file);
@@ -281,8 +276,6 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
 */
 int ima_file_alloc(struct file *file)
 {
-	struct ima_file_data *f_data;
 	/* It is possible that ima_file_alloc() is called after
 	 * exit_task_namespaces(), when IMA does the last writer check from
 	 * __fput(). In that case it's not necessary to store the namespace
@@ -290,16 +283,8 @@ int ima_file_alloc(struct file *file)
 	if (!current->nsproxy)
 		return 0;
-	f_data = kmalloc(sizeof(struct ima_file_data), GFP_KERNEL);
+	file->f_ima = get_current_ns();
-	if (!f_data)
+	get_ima_ns((struct ima_namespace *)file->f_ima);
-		return -ENOMEM;
-	f_data->ima_ns = get_current_ns();
-	f_data->is_readcount = false;
-	get_ima_ns(f_data->ima_ns);
-	file->f_ima = f_data;
 	return 0;
 }
@@ -313,36 +298,30 @@ void ima_file_free(struct file *file)
 {
 	struct inode *inode = file_inode(file);
 	struct integrity_iint_cache *iint;
-	struct ima_file_data *f_data = (struct ima_file_data *)file->f_ima;
+	struct ima_namespace *ima_ns = (struct ima_namespace *)file->f_ima;
-	if (!f_data)
+	if (!ima_ns)
 		return;
 	if (unlikely(!(file->f_mode & FMODE_OPENED)))
 		goto out;
-	if (!f_data->ima_ns->policy_data->ima_policy_flag ||
+	if (!ima_ns->policy_data->ima_policy_flag || !S_ISREG(inode->i_mode))
-	    !S_ISREG(inode->i_mode))
 		goto out;
-	iint = integrity_iint_rb_find(f_data->ima_ns->iint_tree, inode);
+	iint = integrity_iint_rb_find(ima_ns->iint_tree, inode);
 	if (!iint)
 		goto out;
 	ima_check_last_writer(iint, inode, file);
-	if (f_data->is_readcount)
-		iint_readcount_dec(iint);
 out:
-	put_ima_ns(f_data->ima_ns);
+	put_ima_ns(ima_ns);
-	kfree(f_data);
 }
 static int process_ns_measurement(struct file *file, const struct cred *cred,
 				  u32 secid, char *buf, loff_t size, int mask,
 				  enum ima_hooks func,
-				  struct ima_namespace *ima_ns,
+				  struct ima_namespace *ima_ns)
-				  bool readcount_open)
 {
 	struct inode *inode = file_inode(file);
 	struct integrity_iint_cache *iint = NULL;
@@ -363,12 +342,6 @@ static int process_ns_measurement(struct file *file, const struct cred *cred,
 	if (!ima_ns->policy_data->ima_policy_flag)
 		return 0;
-	if (ima_ns != current_ima_ns) {
-		iint = integrity_iint_rb_find(ima_ns->iint_tree, inode);
-		if (!iint)
-			return 0;
-	}
 	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
 	 * bitmask based on the appraise/audit/measurement policy.
 	 * Included is the appraise submask.
@@ -389,18 +362,12 @@ static int process_ns_measurement(struct file *file, const struct cred *cred,
 	inode_lock(inode);
-	if (action && !iint) {
+	if (action) {
 		iint = integrity_inode_rb_get(ima_ns->iint_tree, inode);
 		if (!iint)
 			rc = -ENOMEM;
 	}
-	if ((ima_ns == current_ima_ns) && iint && readcount_open &&
-	    ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)) {
-		iint_readcount_inc(iint);
-		((struct ima_file_data *)file->f_ima)->is_readcount = true;
-	}
 	if (!rc && violation_check)
 		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
 					 &pathbuf, &pathname, filename, ima_ns);
@@ -554,7 +521,7 @@ static int process_ns_measurement(struct file *file, const struct cred *cred,
 static int process_measurement(struct file *file, const struct cred *cred,
 			       u32 secid, char *buf, loff_t size, int mask,
-			       enum ima_hooks func, bool readcount_open)
+			       enum ima_hooks func)
 {
 	int ret;
 	struct ima_namespace *ima_ns;
@@ -569,7 +536,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 			continue;
 		ret = process_ns_measurement(file, cred, secid, buf, size, mask,
-					     func, ima_ns, readcount_open);
+					     func, ima_ns);
 		if (ret != 0)
 			break;
 	}
@@ -596,7 +563,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
 	if (file && (prot & PROT_EXEC)) {
 		security_task_getsecid(current, &secid);
 		return process_measurement(file, current_cred(), secid, NULL,
-					   0, MAY_EXEC, MMAP_CHECK, true);
+					   0, MAY_EXEC, MMAP_CHECK);
 	}
 	return 0;
@@ -676,13 +643,13 @@ int ima_bprm_check(struct linux_binprm *bprm)
 	security_task_getsecid(current, &secid);
 	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
-				  MAY_EXEC, BPRM_CHECK, false);
+				  MAY_EXEC, BPRM_CHECK);
 	if (ret)
 		return ret;
 	security_cred_getsecid(bprm->cred, &secid);
 	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
-				   MAY_EXEC, CREDS_CHECK, false);
+				   MAY_EXEC, CREDS_CHECK);
 }
 /**
@@ -703,7 +670,7 @@ int ima_file_check(struct file *file, int mask)
 	security_task_getsecid(current, &secid);
 	rc = process_measurement(file, current_cred(), secid, NULL, 0,
 				 mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
-					 MAY_APPEND), FILE_CHECK, true);
+					 MAY_APPEND), FILE_CHECK);
 	if (ima_current_is_parser() && !rc)
 		ima_check_measured_appraised(file);
 	return rc;
@@ -879,7 +846,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
 	func = read_idmap[read_id] ?: FILE_CHECK;
 	security_task_getsecid(current, &secid);
 	return process_measurement(file, current_cred(), secid, NULL,
-				   0, MAY_READ, func, false);
+				   0, MAY_READ, func);
 }
 const int read_idmap[READING_MAX_ID] = {
@@ -924,7 +891,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
 	func = read_idmap[read_id] ?: FILE_CHECK;
 	security_task_getsecid(current, &secid);
 	return process_measurement(file, current_cred(), secid, buf, size,
-				   MAY_READ, func, false);
+				   MAY_READ, func);
 }
 /**

--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -18,7 +18,6 @@
 #include <linux/key.h>
 #include <linux/audit.h>
 #include <linux/hash_info.h>
-#include <linux/atomic.h>
 /* iint action cache flags */
 #define IMA_MEASURE		0x00000001
@@ -143,9 +142,6 @@ struct integrity_iint_cache {
 	enum integrity_status ima_creds_status:4;
 	enum integrity_status evm_status:4;
 	struct ima_digest_data *ima_hash;
-	atomic_t readcount; /* Reader counter, incremented only in FILE_CHECK or
-			     * MMAP_CHECK hooks, used for ima violation check.
-			     */
 };
 enum compact_types { COMPACT_KEY, COMPACT_PARSER, COMPACT_FILE,
@@ -342,17 +338,3 @@ static inline void __init add_to_platform_keyring(const char *source,
 {
 }
 #endif
-#ifdef CONFIG_IMA
-static inline void iint_readcount_inc(struct integrity_iint_cache *iint)
-{
-	atomic_inc(&iint->readcount);
-}
-static inline void iint_readcount_dec(struct integrity_iint_cache *iint)
-{
-	if (WARN_ON(!atomic_read(&iint->readcount)))
-		return;
-	atomic_dec(&iint->readcount);
-}
-#endif