Revert "ima: Extend permissions to the ima securityfs entries"

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G
CVE: NA

--------------------------------

This reverts commit 441a760d.
Signed-off-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

security/integrity/ima/ima.h

@@ -512,9 +512,9 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
 #endif /* CONFIG_IMA_LSM_RULES */
 
 #ifdef	CONFIG_IMA_READ_POLICY
-#define	POLICY_FILE_FLAGS	(S_IWUSR | S_IRUSR | S_IROTH | S_IWOTH)
+#define	POLICY_FILE_FLAGS	(S_IWUSR | S_IRUSR)
 #else
-#define	POLICY_FILE_FLAGS	(S_IWUSR | S_IWOTH)
+#define	POLICY_FILE_FLAGS	S_IWUSR
 #endif /* CONFIG_IMA_READ_POLICY */
 
 #endif /* __LINUX_IMA_H */

security/integrity/ima/ima_fs.c

@@ -73,18 +73,7 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf,
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
 }
 
-static int ima_open_htable_value(struct inode *inode, struct file *file)
-{
-	struct ima_namespace *ima_ns = get_current_ns();
-
-	if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
-
-	return 0;
-}
-
 static const struct file_operations ima_htable_value_ops = {
-	.open = ima_open_htable_value,
 	.read = ima_show_htable_value,
 	.llseek = generic_file_llseek,
 };
@@ -236,11 +225,6 @@ static const struct seq_operations ima_measurments_seqops = {
 
 static int ima_measurements_open(struct inode *inode, struct file *file)
 {
-	struct ima_namespace *ima_ns = get_current_ns();
-
-	if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
-
 	return seq_open(file, &ima_measurments_seqops);
 }
 
@@ -307,11 +291,6 @@ static const struct seq_operations ima_ascii_measurements_seqops = {
 
 static int ima_ascii_measurements_open(struct inode *inode, struct file *file)
 {
-	struct ima_namespace *ima_ns = get_current_ns();
-
-	if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
-
 	return seq_open(file, &ima_ascii_measurements_seqops);
 }
 
@@ -528,7 +507,6 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp)
 	const struct seq_operations *seq_ops = NULL;
 	enum ima_fs_flags flag = ima_get_dentry_flag(dentry);
 	bool read_allowed = false;
-	struct ima_namespace *ima_ns = get_current_ns();
 
 	if (dentry == ima_policy) {
 #ifdef	CONFIG_IMA_READ_POLICY
@@ -542,10 +520,10 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp)
 			return -EACCES;
 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
 			return -EACCES;
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		return seq_open(filp, seq_ops);
 	}
-	if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
 	if (test_and_set_bit(flag, &ima_fs_flags))
 		return -EBUSY;
 
@@ -630,21 +608,21 @@ int __init ima_fs_init(void)
 
 	binary_runtime_measurements =
 	    securityfs_create_file("binary_runtime_measurements",
-				   S_IRUSR | S_IRGRP | S_IROTH, ima_dir, NULL,
+				   S_IRUSR | S_IRGRP, ima_dir, NULL,
 				   &ima_measurements_ops);
 	if (IS_ERR(binary_runtime_measurements))
 		goto out;
 
 	ascii_runtime_measurements =
 	    securityfs_create_file("ascii_runtime_measurements",
-				   S_IRUSR | S_IRGRP | S_IROTH, ima_dir, NULL,
+				   S_IRUSR | S_IRGRP, ima_dir, NULL,
 				   &ima_ascii_measurements_ops);
 	if (IS_ERR(ascii_runtime_measurements))
 		goto out;
 
 	runtime_measurements_count =
 	    securityfs_create_file("runtime_measurements_count",
-				   S_IRUSR | S_IRGRP | S_IROTH, ima_dir, NULL,
+				   S_IRUSR | S_IRGRP, ima_dir, NULL,
 				   &ima_htable_value_ops);
 	if (IS_ERR(runtime_measurements_count))
 		goto out;