Revert "ima: Parse per ima namespace policy file"

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit 3ead0c63. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Revert "ima: Parse per ima namespace policy file"
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit 3ead0c63. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
8d0af635 · Zhang Tianxing · Zheng Zengkai · dfeaf682 · 8d0af635 · 8d0af635
Showing with 23 addition and 21 deletion

security/integrity/ima/ima.h security/integrity/ima/ima.h +3 -3

security/integrity/ima/ima_fs.c security/integrity/ima/ima_fs.c +6 -7

security/integrity/ima/ima_policy.c security/integrity/ima/ima_policy.c +14 -11

未找到文件。
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -312,10 +312,10 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 void ima_init_policy(void);
 void ima_init_ns_policy(struct ima_namespace *ima_ns,
 			const struct ima_policy_setup_data *policy_setup_data);
-void ima_update_policy(struct ima_namespace *ima_ns);
+void ima_update_policy(void);
 void ima_update_policy_flag(struct ima_namespace *ima_ns);
-ssize_t ima_parse_add_rule(char *rule, struct ima_namespace *ima_ns);
-void ima_delete_rules(struct ima_namespace *ima_ns);
+ssize_t ima_parse_add_rule(char *);
+void ima_delete_rules(void);
 int ima_check_policy(const struct ima_namespace *ima_ns);
 void *ima_policy_start(struct seq_file *m, loff_t *pos);
 void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);

--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -328,8 +328,7 @@ static const struct file_operations ima_ascii_measurements_ops = {
 	.release = seq_release,
 };

-static ssize_t ima_read_sfs_file(char *path, struct dentry *dentry,
-				 struct ima_namespace *ima_ns)
+static ssize_t ima_read_sfs_file(char *path, struct dentry *dentry)
 {
 	void *data = NULL;
 	char *datap;
@@ -371,7 +370,7 @@ static ssize_t ima_read_sfs_file(char *path, struct dentry *dentry,
 				break;

 			pr_debug("rule: %s\n", p);
-			rc = ima_parse_add_rule(p, ima_ns);
+			rc = ima_parse_add_rule(p);
 		} else if (dentry == digest_list_data ||
 			   dentry == digest_list_data_del) {
 #ifdef CONFIG_IMA_DIGEST_LIST
@@ -457,7 +456,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf,
 		goto out_free;

 	if (data[0] == '/') {
-		result = ima_read_sfs_file(data, dentry, ima_ns);
+		result = ima_read_sfs_file(data, dentry);
 	} else if (dentry == ima_policy) {
 		if (ima_ns->policy_data->ima_appraise & IMA_APPRAISE_POLICY) {
 			pr_err("signed policy file (specified "
@@ -467,7 +466,7 @@ static ssize_t ima_write_data(struct file *file, const char __user *buf,
 					    "signed policy required", 1, 0);
 			result = -EACCES;
 		} else {
-			result = ima_parse_add_rule(data, ima_ns);
+			result = ima_parse_add_rule(data);
 		}
 	} else if (dentry == digest_list_data) {
 		if (!ima_current_is_parser()) {
@@ -598,13 +597,13 @@ static int ima_release_data_upload(struct inode *inode, struct file *file)
 			    "policy_update", cause, !valid_policy, 0);

 	if (!valid_policy) {
-		ima_delete_rules(ima_ns);
+		ima_delete_rules();
 		valid_policy = 1;
 		clear_bit(flag, &ima_fs_flags);
 		return 0;
 	}

-	ima_update_policy(ima_ns);
+	ima_update_policy();
 #if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
 	securityfs_remove(ima_policy);
 	ima_policy = NULL;

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -858,8 +858,7 @@ static void add_rules(struct ima_namespace *ima_ns,
 	}
 }

-static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
-			  struct ima_namespace *ima_ns);
+static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);

 static int ima_init_arch_policy(void)
 {
@@ -889,8 +888,7 @@ static int ima_init_arch_policy(void)
 		result = strlcpy(rule, *rules, sizeof(rule));

 		INIT_LIST_HEAD(&arch_policy_entry[i].list);
-		result = ima_parse_rule(rule, &arch_policy_entry[i],
-					&init_ima_ns);
+		result = ima_parse_rule(rule, &arch_policy_entry[i]);
 		if (result) {
 			pr_warn("Skipping unknown architecture policy rule: %s\n",
 				rule);
@@ -1046,8 +1044,10 @@ int ima_check_policy(const struct ima_namespace *ima_ns)
 * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
 * we switch from the default policy to user defined.
 */
-void ima_update_policy(struct ima_namespace *ima_ns)
+void ima_update_policy(void)
 {
+	/* Update only the current ima namespace */
+	struct ima_namespace *ima_ns = get_current_ns();
 	struct list_head *policy = &ima_ns->policy_data->ima_policy_rules;

 	list_splice_tail_init_rcu(&ima_ns->policy_data->ima_temp_rules,
@@ -1305,8 +1305,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 	return true;
 }

-static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
-			  struct ima_namespace *ima_ns)
+static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 {
 	struct audit_buffer *ab;
 	char *from;
@@ -1314,6 +1313,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
 	bool uid_token;
 	struct ima_template_desc *template_desc;
 	int result = 0;
+	struct ima_namespace *ima_ns = get_current_ns();

 	ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
 				       AUDIT_INTEGRITY_POLICY_RULE);
@@ -1692,18 +1692,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
 /**
 * ima_parse_add_rule - add a rule to ima_policy_rules
 * @rule - ima measurement policy rule
- * @ima_ns - pointer to the ima namespace the rule will be added to
 *
 * Avoid locking by allowing just one writer at a time in ima_write_policy()
 * Returns the length of the rule parsed, an error code on failure
 */
-ssize_t ima_parse_add_rule(char *rule, struct ima_namespace *ima_ns)
+ssize_t ima_parse_add_rule(char *rule)
 {
 	static const char op[] = "update_policy";
 	char *p;
 	struct ima_rule_entry *entry;
 	ssize_t result, len;
 	int audit_info = 0;
+	/* Add rules only to the current ima namespace */
+	struct ima_namespace *ima_ns = get_current_ns();

 	p = strsep(&rule, "\n");
 	len = strlen(p) + 1;
@@ -1721,7 +1722,7 @@ ssize_t ima_parse_add_rule(char *rule, struct ima_namespace *ima_ns)

 	INIT_LIST_HEAD(&entry->list);

-	result = ima_parse_rule(p, entry, ima_ns);
+	result = ima_parse_rule(p, entry);
 	if (result) {
 		ima_free_rule(entry);
 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
@@ -1741,8 +1742,10 @@ ssize_t ima_parse_add_rule(char *rule, struct ima_namespace *ima_ns)
 * different from the active one.  There is also only one user of
 * ima_delete_rules() at a time.
 */
-void ima_delete_rules(struct ima_namespace *ima_ns)
+void ima_delete_rules(void)
 {
+	/* Delete rules only from the current ima namespace */
+	struct ima_namespace *ima_ns = get_current_ns();
 	struct ima_rule_entry *entry, *tmp;

 	ima_ns->policy_data->temp_ima_appraise = 0;