From 0430080a16b88626c543f03fdf7c31db241e8a16 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 30 Jul 2025 16:46:02 -0700
Subject: [PATCH] parser: drop unused create_welded_dfablob and related code

Their is no reason for the parse to stitch 2 dfas together this way.
In the future there will be better ways to do this using unconpressed
dfas.

Dropping this also allows for some simplification, in other parts of
the code.

Drop the dead/unused code

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/aare_rules.cc |  88 +--------------------
 parser/libapparmor_re/aare_rules.h  |  10 +--
 parser/libapparmor_re/chfa.cc       | 115 +---------------------------
 parser/libapparmor_re/chfa.h        |   6 +-
 parser/parser_regex.c               |   8 +-
 5 files changed, 11 insertions(+), 216 deletions(-)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index f63122d97..562f6f563 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -203,7 +203,7 @@ bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm,
 CHFA *aare_rules::create_chfa(int *min_match_len,
 			      vector <aa_perms> &perms_table,
 			      optflags const &opts, bool filedfa,
-			      bool extended_perms, bool prompt)
+			      bool extended_perms)
 {
 	/* finish constructing the expr tree from the different permission
 	 * set nodes */
@@ -329,7 +329,7 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 				cerr << "\n";
 			}
 		}
-		chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
+		chfa = new CHFA(dfa, eq, opts, extended_perms);
 		if (opts.dump & DUMP_DFA_TRANS_TABLE)
 			chfa->dump(cerr);
 		if (opts.dump & DUMP_DFA_COMPTRESSED_STATES)
@@ -350,15 +350,14 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
 				 vector <aa_perms> &perms_table,
 				 optflags const &opts, bool filedfa,
-				 bool extended_perms, bool prompt)
+				 bool extended_perms)
 {
 	char *buffer = NULL;
 	stringstream stream;
 
 	try {
 		CHFA *chfa = create_chfa(min_match_len, perms_table,
-					 opts, filedfa, extended_perms,
-					 prompt);
+					 opts, filedfa, extended_perms);
 		if (!chfa) {
 			*size = 0;
 			return NULL;
@@ -383,82 +382,3 @@ void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
 
 	return buffer;
 }
-
-
-/* create a dfa from the ruleset
- * returns: buffer contain dfa tables, @size set to the size of the tables
- *          else NULL on failure, @min_match_len set to the shortest string
- *          that can match the dfa for determining xmatch priority.
- */
-void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
-					size_t *size, int *min_match_len,
-					size_t *new_start,
-					vector <aa_perms> &perms_table,
-					optflags const &opts,
-					bool extended_perms, bool prompt)
-{
-	int file_min_len;
-	vector <aa_perms> file_perms;
-	CHFA *file_chfa;
-	try {
-		file_chfa = file_rules->create_chfa(&file_min_len,
-						    file_perms, opts,
-						    true, extended_perms, prompt);
-		if (!file_chfa) {
-			*size = 0;
-			return NULL;
-		}
-	}
-	catch(int error) {
-		*size = 0;
-		return NULL;
-	}
-
-	CHFA *policy_chfa;
-	try {
-		policy_chfa = create_chfa(min_match_len,
-					  perms_table, opts,
-					  false, extended_perms, prompt);
-		if (!policy_chfa) {
-			delete file_chfa;
-			*size = 0;
-			return NULL;
-		}
-	}
-	catch(int error) {
-		delete file_chfa;
-		*size = 0;
-		return NULL;
-	}
-
-	stringstream stream;
-	try {
-		policy_chfa->weld_file_to_policy(*file_chfa, *new_start,
-						 extended_perms, prompt,
-						 perms_table, file_perms);
-		policy_chfa->flex_table(stream, opts);
-	}
-	catch(int error) {
-		delete (file_chfa);
-		delete (policy_chfa);
-		*size = 0;
-		return NULL;
-	}
-	delete file_chfa;
-	delete policy_chfa;
-
-	/* write blob to buffer */
-	stringbuf *buf = stream.rdbuf();
-
-	buf->pubseekpos(0);
-	*size = buf->in_avail();
-	if (file_min_len < *min_match_len)
-		*min_match_len = file_min_len;
-
-	char *buffer = (char *)malloc(*size);
-	if (!buffer)
-		return NULL;
-	buf->sgetn(buffer, *size);
-
-	return buffer;
-}
diff --git a/parser/libapparmor_re/aare_rules.h b/parser/libapparmor_re/aare_rules.h
index 45f277f02..03e33b6b1 100644
--- a/parser/libapparmor_re/aare_rules.h
+++ b/parser/libapparmor_re/aare_rules.h
@@ -123,17 +123,11 @@ class aare_rules {
 	CHFA *create_chfa(int *min_match_len,
 			  std::vector <aa_perms> &perms_table,
 			  optflags const &opts, bool filedfa,
-			  bool extended_perms, bool prompt);
+			  bool extended_perms);
 	void *create_dfablob(size_t *size, int *min_match_len,
 			 std::vector <aa_perms> &perms_table,
 			 optflags const &opts,
-			 bool filedfa, bool extended_perms, bool prompt);
-	void *create_welded_dfablob(aare_rules *file_rules,
-				    size_t *size, int *min_match_len,
-				    size_t *new_start,
-				    std::vector <aa_perms> &perms_table,
-				    optflags const &opts,
-				    bool extended_perms, bool prompt);
+			 bool filedfa, bool extended_perms);
 };
 
 #endif				/* __LIBAA_RE_RULES_H */
diff --git a/parser/libapparmor_re/chfa.cc b/parser/libapparmor_re/chfa.cc
index 74a0c995e..75300cb35 100644
--- a/parser/libapparmor_re/chfa.cc
+++ b/parser/libapparmor_re/chfa.cc
@@ -59,7 +59,7 @@ void CHFA::init_free_list(vector<pair<size_t, size_t> > &free_list,
  *       permtable index flag
  */
 CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
-	   bool permindex, bool prompt): eq(eq)
+	   bool permindex): eq(eq)
 {
 	if (opts.dump & DUMP_DFA_TRANS_PROGRESS)
 		fprintf(stderr, "Compressing HFA:\r");
@@ -515,116 +515,3 @@ void CHFA::flex_table(ostream &os, optflags const &opts) {
 		flex_table_serialize<uint16_t>(*this, os, (1 << 16) - 1);
 	}
 }
-
-/*
- * @file_chfa: chfa to add on to the policy chfa
- * @new_start: new start state for where the @file_dfa is in the new chfa
- *
- * Make a new chfa that is a combination of policy and file chfas. It
- * assumes policy is built with AA_CLASS_FILE support transition. The
- * resultant chfa will have file states and indexes offset except for
- * start and null states.
- *
- * NOTE:
- * - modifies chfa
- * requires:
- * - no ec
- * - policy chfa has transitions state[start].next[AA_CLASS_FILE]
- * - policy perms table is build if using permstable
-
- */
-void CHFA::weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
-			       bool accept_idx, bool prompt,
-			       vector <aa_perms>  &policy_perms,
-			       vector <aa_perms> &file_perms)
-{
-	// doesn't support remapping eq classes yet
-	if (eq.size() > 0 || file_chfa.eq.size() > 0)
-		throw 1;
-
-	size_t old_base_size = default_base.size();
-	size_t old_next_size = next_check.size();
-
-	const State *nonmatching = default_base[0].first;
-	//const State *start = default_base[1].first;
-	const State *file_nonmatching = file_chfa.default_base[0].first;
-
-	// renumber states from file_dfa by appending to policy dfa
-	num.insert(make_pair(file_nonmatching, 0));	// remap to policy nonmatching
-	for (map<const State *, size_t>::iterator i = file_chfa.num.begin(); i != file_chfa.num.end() ; i++) {
-		if (i->first == file_nonmatching)
-			continue;
-		num.insert(make_pair(i->first, i->second + old_base_size));
-	}
-
-	// handle default and base table expansion, and setup renumbering
-	// while we remap file_nonmatch within the table, we still keep its
-	// slot.
-	bool first = true;
-	for (DefaultBase::iterator i = file_chfa.default_base.begin(); i != file_chfa.default_base.end(); i++) {
-		const State *def;
-		size_t base;
-		if (first) {
-			first = false;
-			// remap file_nonmatch to nonmatch
-			def = nonmatching;
-			base = 0;
-		} else {
-			def = i->first;
-			base = i->second + old_next_size;
-		}
-		default_base.push_back(make_pair(def, base));
-	}
-
-	// mapping for these are handled by num[]
-	for (NextCheck::iterator i = file_chfa.next_check.begin(); i != file_chfa.next_check.end(); i++) {
-		next_check.push_back(*i);
-	}
-
-	// append file perms to policy perms, and rework permsidx if needed
-	if (accept_idx) {
-		// policy idx double
-		// file + doubled offset
-		// Requires: policy perms table, so we can double and
-		//           update indexes
-		//         * file perm idx to start on even idx
-		//         * policy perms table size to double and entries
-		//           to repeat
-		assert(accept.size() == old_base_size);
-		accept.resize(accept.size() + file_chfa.accept.size());
-		assert(policy_perms.size() < std::numeric_limits<ssize_t>::max());
-		ssize_t size = (ssize_t) policy_perms.size();
-		policy_perms.resize(size*2 + file_perms.size());
-		// shift and double the policy perms
-		for (ssize_t i = size - 1; i >= 0; i--) {
-			policy_perms[i*2] = policy_perms[i];
-			policy_perms[i*2 + 1] = policy_perms[i];
-		}
-		// update policy accept idx for the new shifted perms table
-		for (size_t i = 0; i < old_base_size; i++) {
-			accept[i] = accept[i]*2;
-		}
-		// copy over file perms
-		for (size_t i = 0; i < file_perms.size(); i++) {
-			policy_perms[size*2 + i] = file_perms[i];
-		}
-		// shift file accept indexs
-		for (size_t i = 0; i < file_chfa.accept.size(); i++) {
-			accept[old_base_size + i] = file_chfa.accept[i] + size*2;
-		}
-	} else {
-		// perms are stored in accept just append the perms
-		size_t size = accept.size();
-		accept.resize(size + file_chfa.accept.size());
-		accept2.resize(size + file_chfa.accept.size());
-		for (size_t i = 0; i < file_chfa.accept.size(); i++) {
-			accept[size + i] = file_chfa.accept[i];
-			accept2[size + i] = file_chfa.accept2[i];
-		}
-	}
-
-	// Rework transition state[start].next[AA_CLASS_FILE]
-	next_check[default_base[1].second + AA_CLASS_FILE].first = file_chfa.start;
-
-	new_start = num[file_chfa.start];
-}
diff --git a/parser/libapparmor_re/chfa.h b/parser/libapparmor_re/chfa.h
index 983c664e9..0e567c8f5 100644
--- a/parser/libapparmor_re/chfa.h
+++ b/parser/libapparmor_re/chfa.h
@@ -39,7 +39,7 @@ class CHFA {
       public:
 	CHFA(void);
 	CHFA(DFA &dfa, std::map<transchar, transchar> &eq, optflags const &opts,
-	     bool permindex, bool prompt);
+	     bool permindex);
 	void dump(ostream & os);
 	void flex_table(ostream &os, optflags const &opts);
 	void init_free_list(std::vector<std::pair<size_t, size_t> > &free_list,
@@ -48,10 +48,6 @@ class CHFA {
 		     StateTrans &cases);
 	void insert_state(std::vector<std::pair<size_t, size_t> > &free_list,
 			  State *state, DFA &dfa);
-	void weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
-				 bool accept_idx, bool prompt,
-				 std::vector <aa_perms>  &policy_perms,
-				 std::vector <aa_perms> &file_perms);
 
 	// private:
 	// sigh templates suck, friend declaration does not work so for now
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 97225d82a..0834f2c5d 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -578,7 +578,7 @@ build:
 		 *
 		 * we don't need to build xmatch for permstable32, so don't
 		 */
-		prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false, false);
+		prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false);
 		delete rules;
 		if (!prof->xmatch)
 			return false;
@@ -791,8 +791,7 @@ int process_profile_regex(Profile *prof)
 		prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
 					&xmatch_len, prof->dfa.perms_table,
 					parseopts, true,
-					kernel_supports_permstable32,
-					prof->uses_prompt_rules);
+					kernel_supports_permstable32);
 		delete prof->dfa.rules;
 		prof->dfa.rules = NULL;
 		if (!prof->dfa.dfa)
@@ -1159,8 +1158,7 @@ int process_profile_policydb(Profile *prof)
 						&xmatch_len,
 						prof->policy.perms_table,
 						parseopts, false,
-						kernel_supports_permstable32,
-						prof->uses_prompt_rules);
+						kernel_supports_permstable32);
 		delete prof->policy.rules;
 
 		prof->policy.rules = NULL;