Revert "digest list: disable digest lists in non-root ima namespaces"

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit 603cc292. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Revert "digest list: disable digest lists in non-root ima namespaces"
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit 603cc292. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
6c24414a · Zhang Tianxing · Zheng Zengkai · 4e0bcf65 · 6c24414a · 6c24414a
显示空白变更内容
内联并排

Showing with 1 addition and 22 deletion

security/integrity/ima/ima_digest_list.c security/integrity/ima/ima_digest_list.c +0 -12

security/integrity/ima/ima_fs.c security/integrity/ima/ima_fs.c +1 -10

未找到文件。
--- a/security/integrity/ima/ima_digest_list.c
+++ b/security/integrity/ima/ima_digest_list.c
@@ -89,9 +89,6 @@ struct ima_digest *ima_lookup_digest(u8 *digest, enum hash_algo algo,
 	int digest_len = hash_digest_size[algo];
 	unsigned int key = ima_hash_key(digest);

-	if (&init_ima_ns != get_current_ns())
-		return NULL;
-
 	rcu_read_lock();
 	hlist_for_each_entry_rcu(d, &ima_digests_htable.queue[key], hnext)
 		if (d->algo == algo && d->type == type &&
@@ -176,9 +173,6 @@ int ima_parse_compact_list(loff_t size, void *buf, int op)
 	size_t digest_len;
 	int ret = 0, i;

-	if (&init_ima_ns != get_current_ns())
-		return -EACCES;
-
 	if (!(ima_digest_list_actions & init_policy_data.ima_policy_flag))
 		return -EACCES;

@@ -251,9 +245,6 @@ void ima_check_measured_appraised(struct file *file)
 {
 	struct integrity_iint_cache *iint;

-	if (&init_ima_ns != get_current_ns())
-		return;
-
 	if (!ima_digest_list_actions)
 		return;

@@ -290,9 +281,6 @@ void ima_check_measured_appraised(struct file *file)

 struct ima_digest *ima_digest_allow(struct ima_digest *digest, int action)
 {
-	if (&init_ima_ns != get_current_ns())
-		return NULL;
-
 	if (!(ima_digest_list_actions & action))
 		return NULL;


--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -60,17 +60,11 @@ static int valid_policy = 1;

 static int ima_open_simple(struct inode *inode, struct file *file)
 {
-	struct dentry *dentry = file_dentry(file);
 	struct ima_namespace *ima_ns = get_current_ns();

 	if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN))
 		return -EPERM;

-	if (dentry == digests_count) {
-		if (&init_ima_ns != get_current_ns())
-			return -EACCES;
-	}
-
 	return 0;
 }

@@ -562,12 +556,9 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp)
 	if (test_and_set_bit(flag, &ima_fs_flags))
 		return -EBUSY;

-	if (dentry == digest_list_data || dentry == digest_list_data_del) {
-		if (&init_ima_ns != get_current_ns())
-			return -EACCES;
+	if (dentry == digest_list_data || dentry == digest_list_data_del)
 		if (ima_check_current_is_parser())
 			ima_set_parser();
-	}

 	return 0;
 }