Revert "ima: Set ML template per ima namespace"

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit e16e05db. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Revert "ima: Set ML template per ima namespace"
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit e16e05db. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
80986d4d · Zhang Tianxing · Zheng Zengkai · 5d5e7cc3 · 80986d4d · 80986d4d
6 changed file
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -240,7 +240,6 @@ struct ima_namespace {
 #ifdef CONFIG_KEYS
 	struct key_tag *key_domain;
 #endif
-	struct ima_template_desc *ima_template;
 	struct task_struct *activating_tsk; /* used only for the ns activation */
 } __randomize_layout;

--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -172,10 +172,8 @@ int template_desc_init_fields(const char *template_fmt,
 			      const struct ima_template_field ***fields,
 			      int *num_fields);
 struct ima_template_desc *ima_template_desc_current(void);
-struct ima_template_desc *ima_template_desc_ns(struct ima_namespace *ima_ns);
 struct ima_template_desc *lookup_template_desc(const char *name);
 bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
-int ima_template_setup(char *str, struct ima_namespace *ima_ns);
 int ima_restore_measurement_entry(struct ima_template_entry *entry);
 int ima_restore_measurement_list(loff_t bufsize, void *buf);
 int ima_measurements_show(struct seq_file *m, void *v);

--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -48,7 +48,6 @@ struct ima_namespace init_ima_ns = {
 #ifdef CONFIG_KEYS
 	.key_domain = &init_ima_key_domain,
 #endif
-	.ima_template = NULL,
 };
 EXPORT_SYMBOL(init_ima_ns);

--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -49,28 +49,6 @@ static void dec_ima_namespaces(struct ucounts *ucounts)
 	return dec_ucount(ucounts, UCOUNT_IMA_NAMESPACES);
 }
-static int ima_set_ns_template(struct ima_namespace *ima_ns)
-{
-	int result;
-	if (!ima_ns->ima_template)
-		ima_ns->ima_template =
-			lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
-	result = template_desc_init_fields(ima_ns->ima_template->fmt,
-					   &(ima_ns->ima_template->fields),
-					   &(ima_ns->ima_template->num_fields));
-	if (result < 0) {
-		pr_err("template %s init failed, result: %d\n",
-		       (strlen(ima_ns->ima_template->name) ?
-		       ima_ns->ima_template->name :
-		       ima_ns->ima_template->fmt), result);
-		ima_ns->ima_template = NULL;
-	}
-	return result;
-}
 static int ima_ns_add_boot_aggregate(struct ima_namespace *ima_ns)
 {
 	static const char op[] = "ns_add_boot_aggregate";
@@ -267,7 +245,6 @@ static struct ima_namespace *clone_ima_ns(struct user_namespace *user_ns,
 #endif
 	ns->x509_path_for_children = NULL;
 	ns->policy_setup_for_children = NULL;
-	ns->ima_template = NULL;
 	INIT_LIST_HEAD(&ns->ns_measurements);
 	INIT_LIST_HEAD(&ns->policy_data->ima_default_rules);
@@ -460,10 +437,6 @@ static int imans_activate(struct ima_namespace *ima_ns)
 	if (ima_ns->frozen)
 		goto out;
-	res = ima_set_ns_template(ima_ns);
-	if (res < 0)
-		goto out;
 	ima_set_ns_policy(ima_ns);
 	ima_ns->frozen = true;
@@ -583,11 +556,10 @@ struct ima_kernel_param {
 	int (*set)(char *val, struct ima_namespace *ima_ns);
 };
-/* TODO: add ima_template_fmt, ima_hash, ... */
+/* TODO: add ima_template, ima_template_fmt, ima_hash, ... */
 static const struct ima_kernel_param ima_kernel_params[] = {
 	{"ima_appraise", ima_default_appraise_setup},
 	{"ima_policy", ima_policy_setup},
-	{"ima_template", ima_template_setup},
 };
 static const size_t ima_kernel_params_size = ARRAY_SIZE(ima_kernel_params);

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -737,7 +737,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 	bool fail_unverifiable_sigs;
 	if (template_desc)
-		*template_desc = ima_template_desc_ns(ima_ns);
+		*template_desc = ima_template_desc_current();
 	rcu_read_lock();
 	list_for_each_entry_rcu(entry, ima_ns->policy_data->ima_rules, list) {

--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -59,6 +59,8 @@ static const struct ima_template_field supported_fields[] = {
 */
 #define MAX_TEMPLATE_NAME_LEN sizeof("d-ng|n-ng|sig|buf|d-modisg|modsig|ns")
+static struct ima_template_desc *ima_template;
 /**
 * ima_template_has_modsig - Check whether template has modsig-related fields.
 * @ima_template: IMA template to check.
@@ -78,12 +80,12 @@ bool ima_template_has_modsig(const struct ima_template_desc *ima_template)
 	return false;
 }
-int ima_template_setup(char *str, struct ima_namespace *ima_ns)
+static int __init ima_template_setup(char *str)
 {
 	struct ima_template_desc *template_desc;
 	int template_len = strlen(str);
-	if (ima_ns->ima_template)
+	if (ima_template)
 		return 1;
 	ima_init_template_list();
@@ -109,21 +111,16 @@ int ima_template_setup(char *str, struct ima_namespace *ima_ns)
 		return 1;
 	}
-	ima_ns->ima_template = template_desc;
+	ima_template = template_desc;
 	return 1;
 }
+__setup("ima_template=", ima_template_setup);
-static int __init template_setup(char *str)
-{
-	return ima_template_setup(str, &init_ima_ns);
-}
-__setup("ima_template=", template_setup);
 static int __init ima_template_fmt_setup(char *str)
 {
 	int num_templates = ARRAY_SIZE(builtin_templates);
-	if (init_ima_ns.ima_template)
+	if (ima_template)
 		return 1;
 	if (template_desc_init_fields(str, NULL, NULL) < 0) {
@@ -133,7 +130,7 @@ static int __init ima_template_fmt_setup(char *str)
 	}
 	builtin_templates[num_templates - 1].fmt = str;
-	init_ima_ns.ima_template = builtin_templates + num_templates - 1;
+	ima_template = builtin_templates + num_templates - 1;
 	return 1;
 }
@@ -250,23 +247,14 @@ void ima_init_template_list(void)
 	spin_unlock(&template_list);
 }
-struct ima_template_desc *ima_template_desc_ns(struct ima_namespace *ima_ns)
+struct ima_template_desc *ima_template_desc_current(void)
 {
-	if (!ima_ns)
+	if (!ima_template) {
-		return NULL;
-	if (!ima_ns->ima_template) {
 		ima_init_template_list();
-		ima_ns->ima_template =
+		ima_template =
-			lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
+		    lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE);
 	}
-	return ima_ns->ima_template;
+	return ima_template;
-}
-struct ima_template_desc *ima_template_desc_current(void)
-{
-	struct ima_namespace *ima_ns = get_current_ns();
-	return ima_template_desc_ns(ima_ns);
 }
 int __init ima_init_template(void)