Revert "ima: Change the owning user namespace of the ima namespace if necessary"

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G
CVE: NA

--------------------------------

This reverts commit 2098d7b5.
Signed-off-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

include/linux/ima.h

@@ -246,8 +246,7 @@ struct ima_namespace *copy_ima_ns(unsigned long flags,
 
 void free_ima_ns(struct kref *kref);
 
-int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk,
-		  struct user_namespace *user_ns);
+int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk);
 
 static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns)
 {
@@ -270,8 +269,7 @@ static inline struct ima_namespace *copy_ima_ns(unsigned long flags,
 }
 
 static inline int imans_on_fork(struct nsproxy *nsproxy,
-				struct task_struct *tsk,
-				struct user_namespace *user_ns)
+				struct task_struct *tsk)
 {
 	return 0;
 }

kernel/nsproxy.c

@@ -204,7 +204,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
 		return ret;
 	}
 
-	ret = imans_on_fork(new_ns, tsk, user_ns);
+	ret = imans_on_fork(new_ns, tsk);
 	if (ret) {
 		free_nsproxy(new_ns);
 		return ret;

security/integrity/ima/ima_ns.c

@@ -93,24 +93,6 @@ static void ima_set_ns_policy(struct ima_namespace *ima_ns,
 	ima_init_ns_policy(ima_ns, &setup_data);
 }
 
-static int ima_swap_user_ns(struct ima_namespace *ima_ns,
-			    struct user_namespace *user_ns)
-{
-	struct ucounts *ucounts;
-
-	dec_ima_namespaces(ima_ns->ucounts);
-	put_user_ns(ima_ns->user_ns);
-
-	ucounts = inc_ima_namespaces(user_ns);
-	if (!ucounts)
-		return -ENOSPC;
-
-	ima_ns->user_ns = get_user_ns(user_ns);
-	ima_ns->ucounts = ucounts;
-
-	return 0;
-}
-
 /**
  * Clone a new ns copying an original ima namespace, setting refcount to 1
  *
@@ -370,33 +352,23 @@ static int imans_install(struct nsset *nsset, struct ns_common *new)
 	return res;
 }
 
-int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk,
-		  struct user_namespace *user_ns)
+int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk)
 {
 	int res;
-	struct ima_namespace *ima_ns = nsproxy->ima_ns_for_children;
+	struct ns_common *nsc = &nsproxy->ima_ns_for_children->ns;
+	struct ima_namespace *ns = to_ima_ns(nsc);
 
 	/* create_new_namespaces() already incremented the ref counter */
-	if (nsproxy->ima_ns == ima_ns)
+	if (nsproxy->ima_ns == nsproxy->ima_ns_for_children)
 		return 0;
 
-	/* It's possible that the user first unshares the IMA namespace and
-	 * then creates a new user namespace on clone3(). In that case swap
-	 * user namespace for the "current" one.
-	 */
-	if (ima_ns->user_ns != user_ns) {
-		res = ima_swap_user_ns(ima_ns, user_ns);
-		if (res)
-			return res;
-	}
-
-	res = imans_activate(ima_ns);
+	res = imans_activate(ns);
 	if (res)
 		return res;
 
-	get_ima_ns(ima_ns);
+	get_ima_ns(ns);
 	put_ima_ns(nsproxy->ima_ns);
-	nsproxy->ima_ns = ima_ns;
+	nsproxy->ima_ns = ns;
 
 	return res;
 }