Revert "ima: Check ima namespace ID during digest entry lookup"

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G
CVE: NA

--------------------------------

This reverts commit bd86d4c7.
Signed-off-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

security/integrity/ima/ima.h

@@ -187,7 +187,6 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
  * used to protect h_table and sha_table
  */
 extern spinlock_t ima_queue_lock;
-extern spinlock_t ima_htable_lock;
 
 struct ima_h_table {
 	atomic_long_t len;	/* number of stored measurements in the list */

security/integrity/ima/ima_ns.c

@@ -26,7 +26,6 @@
 #include <linux/rwsem.h>
 #include <linux/workqueue.h>
 #include <linux/mutex.h>
-#include <linux/spinlock.h>
 
 #include "ima.h"
 
@@ -181,28 +180,10 @@ int __init ima_init_namespace(void)
 	return 0;
 }
 
-static void imans_remove_hash_entries(struct ima_namespace *ima_ns)
-{
-	struct list_head *ele;
-	struct ima_queue_entry *qe;
-
-	/* The namespace is inactive, no lock is needed */
-	list_for_each(ele, &ima_ns->ns_measurements) {
-		qe = list_entry(ele, struct ima_queue_entry, ns_later);
-		/* Don't free the queue entry, it should stay on the global
-		 * measurement list, remove only the hash table entry */
-		spin_lock(&ima_htable_lock);
-		hlist_del_rcu(&qe->hnext);
-		spin_unlock(&ima_htable_lock);
-		atomic_long_dec(&ima_htable.len);
-	}
-}
-
 static void destroy_ima_ns(struct ima_namespace *ns)
 {
 	bool is_init_ns = (ns == &init_ima_ns);
 
-	imans_remove_hash_entries(ns);
 	dec_ima_namespaces(ns->ucounts);
 	put_user_ns(ns->user_ns);
 	ns_free_inum(&ns->ns);

security/integrity/ima/ima_queue.c

@@ -17,7 +17,6 @@
 
 #include <linux/rculist.h>
 #include <linux/slab.h>
-#include <linux/spinlock.h>
 #include "ima.h"
 
 #define AUDIT_CAUSE_LEN_MAX 32
@@ -32,8 +31,6 @@ static unsigned long binary_runtime_size;
 static unsigned long binary_runtime_size = ULONG_MAX;
 #endif
 
-DEFINE_SPINLOCK(ima_htable_lock);
-
 /* key: inode (before secure-hashing a file) */
 struct ima_h_table ima_htable = {
 	.len = ATOMIC_LONG_INIT(0),
@@ -49,7 +46,7 @@ static DEFINE_MUTEX(ima_extend_list_mutex);
 
 /* lookup up the digest value in the hash table, and return the entry */
 static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
-						       int pcr, int ns_id)
+						       int pcr)
 {
 	struct ima_queue_entry *qe, *ret = NULL;
 	unsigned int key;
@@ -60,8 +57,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
 	hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
 		rc = memcmp(qe->entry->digests[ima_hash_algo_idx].digest,
 			    digest_value, hash_digest_size[ima_hash_algo]);
-		if ((rc == 0) && (qe->entry->pcr == pcr) &&
-		    (qe->entry->ns_id == ns_id)) {
+		if ((rc == 0) && (qe->entry->pcr == pcr)) {
 			ret = qe;
 			break;
 		}
@@ -115,9 +111,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry,
 	atomic_long_inc(&ima_htable.len);
 	if (update_htable) {
 		key = ima_hash_key(entry->digests[ima_hash_algo_idx].digest);
-		spin_lock(&ima_htable_lock);
 		hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
-		spin_unlock(&ima_htable_lock);
 	}
 
 	if (binary_runtime_size != ULONG_MAX) {
@@ -178,7 +172,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 
 	mutex_lock(&ima_extend_list_mutex);
 	if (!violation) {
-		if (ima_lookup_digest_entry(digest, entry->pcr, entry->ns_id)) {
+		if (ima_lookup_digest_entry(digest, entry->pcr)) {
 			audit_cause = "hash_exists";
 			result = -EEXIST;
 			goto out;