Revert "ima: Keep track of the measurment list per ima namespace"

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit a1f9c162. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Revert "ima: Keep track of the measurment list per ima namespace"
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit a1f9c162. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
0d6bc14b · Zhang Tianxing · Zheng Zengkai · 9c1e64e4 · 0d6bc14b · 0d6bc14b
7 changed file
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -232,7 +232,6 @@ struct ima_namespace {
 	bool frozen;
 	struct ima_policy_data *policy_data;
 	struct integrity_iint_tree *iint_tree;
-	struct list_head ns_measurements;
 } __randomize_layout;

 extern struct ima_namespace init_ima_ns;

--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -119,7 +119,6 @@ struct ima_template_entry {
 struct ima_queue_entry {
 	struct hlist_node hnext;	/* place in hash collision list */
 	struct list_head later;		/* place in ima_measurements list */
-	struct list_head ns_later;	/* place in ima namespace list */
 	struct ima_template_entry *entry;
 };
 extern struct list_head ima_measurements;	/* list of all measurements */
@@ -152,8 +151,7 @@ int ima_init(void);
 int ima_fs_init(void);
 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 			   const char *op, struct inode *inode,
-			   const unsigned char *filename,
-			   struct ima_namespace *ima_ns);
+			   const unsigned char *filename);
 int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
 int ima_calc_buffer_hash(const void *buf, loff_t len,
 			 struct ima_digest_data *hash);
@@ -295,8 +293,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data,
 			    struct ima_template_desc *template_desc);
 int ima_store_template(struct ima_template_entry *entry, int violation,
 		       struct inode *inode, const unsigned char *filename,
-		       int pcr, struct ima_digest *digest,
-		       struct ima_namespace *ima_ns);
+		       int pcr, struct ima_digest *digest);
 void ima_free_template_entry(struct ima_template_entry *entry);
 const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);


--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -104,8 +104,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data,
 int ima_store_template(struct ima_template_entry *entry,
 		       int violation, struct inode *inode,
 		       const unsigned char *filename, int pcr,
-		       struct ima_digest *digest,
-		       struct ima_namespace *ima_ns)
+		       struct ima_digest *digest)
 {
 	static const char op[] = "add_template_measure";
 	static const char audit_cause[] = "hashing_error";
@@ -135,11 +134,10 @@ int ima_store_template(struct ima_template_entry *entry,
 	}

 	entry->pcr = pcr;
-	result = ima_add_template_entry(entry, violation, op, inode, filename,
-					ima_ns);
+	result = ima_add_template_entry(entry, violation, op, inode, filename);
 	if (!result && duplicated_entry) {
 		result = ima_add_template_entry(duplicated_entry, violation, op,
-						inode, filename, ima_ns);
+						inode, filename);
 		if (result < 0)
 			kfree(duplicated_entry);
 	}
@@ -179,7 +177,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
 		goto err_out;
 	}
 	result = ima_store_template(entry, violation, inode, filename,
-				    CONFIG_IMA_MEASURE_PCR_IDX, NULL, ima_ns);
+				    CONFIG_IMA_MEASURE_PCR_IDX, NULL);
 	if (result < 0)
 		ima_free_template_entry(entry);
 err_out:
@@ -366,7 +364,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
 	}

 	result = ima_store_template(entry, violation, inode, filename, pcr,
-				    digest, ima_ns);
+				    digest);
 out:
 	if ((!result || result == -EEXIST) && !(file->f_flags & O_DIRECT)) {
 		iint->flags |= IMA_MEASURED;

--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -35,7 +35,6 @@ struct ima_namespace init_ima_ns = {
 	.frozen = true,
 	.policy_data = &init_policy_data,
 	.iint_tree = &init_iint_tree,
-	.ns_measurements = LIST_HEAD_INIT(init_ima_ns.ns_measurements),
 };
 EXPORT_SYMBOL(init_ima_ns);

@@ -105,8 +104,7 @@ static int __init ima_add_boot_aggregate(void)

 	result = ima_store_template(entry, violation, NULL,
 				    boot_aggregate_name,
-				    CONFIG_IMA_MEASURE_PCR_IDX, NULL,
-				    &init_ima_ns);
+				    CONFIG_IMA_MEASURE_PCR_IDX, NULL);
 	if (result < 0) {
 		ima_free_template_entry(entry);
 		audit_cause = "store_entry";

--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1078,8 +1078,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
 		goto out;
 	}

-	ret = ima_store_template(entry, violation, NULL, buf, pcr, NULL,
-				 ima_ns);
+	ret = ima_store_template(entry, violation, NULL, buf, pcr, NULL);
 	if (ret < 0) {
 		audit_cause = "store_entry";
 		ima_free_template_entry(entry);

--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -130,7 +130,6 @@ static struct ima_namespace *clone_ima_ns(struct user_namespace *user_ns,
 	rwlock_init(&ns->iint_tree->lock);
 	ns->iint_tree->root = RB_ROOT;

-	INIT_LIST_HEAD(&ns->ns_measurements);
 	INIT_LIST_HEAD(&ns->policy_data->ima_default_rules);
 	INIT_LIST_HEAD(&ns->policy_data->ima_policy_rules);
 	INIT_LIST_HEAD(&ns->policy_data->ima_temp_rules);

--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -91,8 +91,7 @@ static int get_binary_runtime_size(struct ima_template_entry *entry)
 * (Called with ima_extend_list_mutex held.)
 */
 static int ima_add_digest_entry(struct ima_template_entry *entry,
-				bool update_htable,
-				struct ima_namespace *ima_ns)
+				bool update_htable)
 {
 	struct ima_queue_entry *qe;
 	unsigned int key;
@@ -106,7 +105,6 @@ static int ima_add_digest_entry(struct ima_template_entry *entry,

 	INIT_LIST_HEAD(&qe->later);
 	list_add_tail_rcu(&qe->later, &ima_measurements);
-	list_add_tail_rcu(&qe->ns_later, &ima_ns->ns_measurements);

 	atomic_long_inc(&ima_htable.len);
 	if (update_htable) {
@@ -160,8 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
 */
 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 			   const char *op, struct inode *inode,
-			   const unsigned char *filename,
-			   struct ima_namespace *ima_ns)
+			   const unsigned char *filename)
 {
 	u8 *digest = entry->digests[ima_hash_algo_idx].digest;
 	struct tpm_digest *digests_arg = entry->digests;
@@ -179,7 +176,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 		}
 	}

-	result = ima_add_digest_entry(entry, 1, ima_ns);
+	result = ima_add_digest_entry(entry, 1);
 	if (result < 0) {
 		audit_cause = "ENOMEM";
 		audit_info = 0;
@@ -208,7 +205,7 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry)
 	int result = 0;

 	mutex_lock(&ima_extend_list_mutex);
-	result = ima_add_digest_entry(entry, 0, &init_ima_ns);
+	result = ima_add_digest_entry(entry, 0);
 	mutex_unlock(&ima_extend_list_mutex);
 	return result;
 }