Revert "ima: Change the owning user namespace of the ima namespace if necessary"

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit 2098d7b5. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Revert "ima: Change the owning user namespace of the ima namespace if necessary"
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit 2098d7b5. Signed-off-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
e97f664f · Zhang Tianxing · Zheng Zengkai · e6a605a9 · e97f664f · e97f664f
显示空白变更内容
内联并排

Showing with 10 addition and 40 deletion

include/linux/ima.h include/linux/ima.h +2 -4

kernel/nsproxy.c kernel/nsproxy.c +1 -1

security/integrity/ima/ima_ns.c security/integrity/ima/ima_ns.c +7 -35

未找到文件。
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -246,8 +246,7 @@ struct ima_namespace *copy_ima_ns(unsigned long flags,
 void free_ima_ns(struct kref *kref);
-int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk,
+int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk);
-		  struct user_namespace *user_ns);
 static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns)
 {
@@ -270,8 +269,7 @@ static inline struct ima_namespace *copy_ima_ns(unsigned long flags,
 }
 static inline int imans_on_fork(struct nsproxy *nsproxy,
-				struct task_struct *tsk,
+				struct task_struct *tsk)
-				struct user_namespace *user_ns)
 {
 	return 0;
 }

--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -204,7 +204,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
 		return ret;
 	}
-	ret = imans_on_fork(new_ns, tsk, user_ns);
+	ret = imans_on_fork(new_ns, tsk);
 	if (ret) {
 		free_nsproxy(new_ns);
 		return ret;

--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -93,24 +93,6 @@ static void ima_set_ns_policy(struct ima_namespace *ima_ns,
 	ima_init_ns_policy(ima_ns, &setup_data);
 }
-static int ima_swap_user_ns(struct ima_namespace *ima_ns,
-			    struct user_namespace *user_ns)
-{
-	struct ucounts *ucounts;
-	dec_ima_namespaces(ima_ns->ucounts);
-	put_user_ns(ima_ns->user_ns);
-	ucounts = inc_ima_namespaces(user_ns);
-	if (!ucounts)
-		return -ENOSPC;
-	ima_ns->user_ns = get_user_ns(user_ns);
-	ima_ns->ucounts = ucounts;
-	return 0;
-}
 /**
 * Clone a new ns copying an original ima namespace, setting refcount to 1
 *
@@ -370,33 +352,23 @@ static int imans_install(struct nsset *nsset, struct ns_common *new)
 	return res;
 }
-int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk,
+int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk)
-		  struct user_namespace *user_ns)
 {
 	int res;
-	struct ima_namespace *ima_ns = nsproxy->ima_ns_for_children;
+	struct ns_common *nsc = &nsproxy->ima_ns_for_children->ns;
+	struct ima_namespace *ns = to_ima_ns(nsc);
 	/* create_new_namespaces() already incremented the ref counter */
-	if (nsproxy->ima_ns == ima_ns)
+	if (nsproxy->ima_ns == nsproxy->ima_ns_for_children)
 		return 0;
-	/* It's possible that the user first unshares the IMA namespace and
+	res = imans_activate(ns);
-	 * then creates a new user namespace on clone3(). In that case swap
-	 * user namespace for the "current" one.
-	 */
-	if (ima_ns->user_ns != user_ns) {
-		res = ima_swap_user_ns(ima_ns, user_ns);
-		if (res)
-			return res;
-	}
-	res = imans_activate(ima_ns);
 	if (res)
 		return res;
-	get_ima_ns(ima_ns);
+	get_ima_ns(ns);
 	put_ima_ns(nsproxy->ima_ns);
-	nsproxy->ima_ns = ima_ns;
+	nsproxy->ima_ns = ns;
 	return res;
 }