From ecafcddb5b14cd4bf2ac8f71465f64b0e3ff0b9d Mon Sep 17 00:00:00 2001
From: Zhang Tianxing <zhangtianxing3@huawei.com>
Date: Wed, 29 Dec 2021 12:13:08 +0800
Subject: [PATCH] Revert "imans: Check CAP_SYS_ADMIN in userns associated with
 IMA NS during configuration."

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G
CVE: NA

--------------------------------

This reverts commit 7fdd1c661de46e5d73583c300f8c35c41a6a7b7c.

Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 security/integrity/ima/ima_fs.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index b7959de25a5f..00cd8095d346 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -637,16 +637,12 @@ static const struct file_operations ima_data_upload_ops = {
 static int ima_open_for_children(struct inode *inode, struct file *file)
 {
 	struct ima_namespace *ima_ns = get_current_ns();
-	struct ima_namespace *ima_ns_for_children = current->nsproxy->ima_ns_for_children;
 
 	/* Allow to set children configuration only after unshare() */
 	if (ima_ns == current->nsproxy->ima_ns_for_children)
 		return -EPERM;
 
-	if (!ns_capable(ima_ns_for_children->user_ns, CAP_SYS_ADMIN))
-		return -EPERM;
-
-	return 0;
+	return ima_open_simple(inode, file);
 }
 
 static ssize_t ima_write_x509_for_children(struct file *file,
-- 
GitLab