ima: Don't modify file descriptor mode on the fly

stable inclusion
from stable-5.10.4
commit 0f2206e3d90a9f131b8cfc3f7629c698aa625ce4
bugzilla: 46903

--------------------------------

commit 207cdd56 upstream.

Commit a408e4a8 ("ima: open a new file instance if no read
permissions") already introduced a second open to measure a file when the
original file descriptor does not allow it. However, it didn't remove the
existing method of changing the mode of the original file descriptor, which
is still necessary if the current process does not have enough privileges
to open a new one.

Changing the mode isn't really an option, as the filesystem might need to
do preliminary steps to make the read possible. Thus, this patch removes
the code and keeps the second open as the only option to measure a file
when it is unreadable with the original file descriptor.

Cc: <stable@vger.kernel.org> # 4.20.x: 0014cc04 ima: Set file->f_mode
Fixes: 2fe5d6de ("ima: integrity appraisal extension")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Chen Jun <chenjun102@huawei.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>