parser: drop support for prompt_compat_permsv1, and prompt_compat_dev

prompt_compat_permsv1 and prompt_compat_dev were used to support prompt during early dev. We do not support any kernel using these so drop them. This also allows us to drop the propogation of prompt as a parameter through several functions. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-21 17:47:10 +00:00 · 2025-07-30 14:50:45 -07:00 · 2025-07-30 14:50:45 -07:00 · 0f36070a54
commit 0f36070a54
parent 392849e518
10 changed files with 20 additions and 102 deletions
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@ -315,7 +315,7 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-			dfa.compute_perms_table(perms_table, prompt);
+			dfa.compute_perms_table(perms_table);
 			// TODO: move perms table to a class
 			if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
 				cerr << "Perms Table size: " << perms_table.size() << "\n";
--- a/parser/libapparmor_re/chfa.cc
+++ b/parser/libapparmor_re/chfa.cc
@ -118,12 +118,10 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 		accept2.resize(max(dfa.states.size(), (size_t) 2));
 		dfa.nonmatching->map_perms_to_accept(accept[0],
 						     accept2[0],
-						     accept3,
-						     prompt);
+						     accept3);
 		dfa.start->map_perms_to_accept(accept[1],
 					       accept2[1],
-					       accept3,
-					       prompt);
+					       accept3);
 	}
 	next_check.resize(max(optimal, (size_t) dfa.max_range));
 	free_list.resize(next_check.size());
@ -147,8 +145,7 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 				else
 					(*i)->map_perms_to_accept(accept[num.size()],
 								  accept2[num.size()],
-								  accept3,
-								  prompt);
+								  accept3);
 				num.insert(make_pair(*i, num.size()));
 			}
 			if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
@ -170,8 +167,7 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 				else
 					i->second->map_perms_to_accept(accept[num.size()],
 								       accept2[num.size()],
-								       accept3,
-								       prompt);
+								       accept3);
 				num.insert(make_pair(i->second, num.size()));
 			}
 			if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@ -1367,13 +1367,12 @@ void DFA::apply_equivalence_classes(map<transchar, transchar> &eq)
 }

 void DFA::compute_perms_table_ent(State *state, size_t pos,
-				  vector <aa_perms> &perms_table,
-				  bool prompt)
+				  vector <aa_perms> &perms_table)
 {
 	uint32_t accept1, accept2, accept3;

 	// until front end doesn't map the way it does
-	state->map_perms_to_accept(accept1, accept2, accept3, prompt);
+	state->map_perms_to_accept(accept1, accept2, accept3);
 	if (filedfa) {
 		state->idx = pos * 2;
 		perms_table[pos*2] = compute_fperms_user(accept1, accept2, accept3);
@ -1384,7 +1383,7 @@ void DFA::compute_perms_table_ent(State *state, size_t pos,
 	}
 }

-void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
+void DFA::compute_perms_table(vector <aa_perms> &perms_table)
 {
 	size_t mult = filedfa ? 2 : 1;
 	size_t pos = 2;
@ -1393,13 +1392,13 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 	perms_table.resize(states.size() * mult);

 	// nonmatching and start need to be 0 and 1 so handle outside of loop
-	compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
-	compute_perms_table_ent(start, 1, perms_table, prompt);
+	compute_perms_table_ent(nonmatching, 0, perms_table);
+	compute_perms_table_ent(start, 1, perms_table);

 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
 		if (*i == nonmatching || *i == start)
 			continue;
-		compute_perms_table_ent(*i, pos, perms_table, prompt);
+		compute_perms_table_ent(*i, pos, perms_table);
 		pos++;
 	}
 }
--- a/parser/libapparmor_re/hfa.h
+++ b/parser/libapparmor_re/hfa.h
@ -289,13 +289,10 @@ public:

 	int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); }
 	void map_perms_to_accept(perm32_t &accept1, perm32_t &accept2,
-				 perm32_t &accept3, bool prompt)
+				 perm32_t &accept3)
 	{
 		accept1 = perms.allow;
-		if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV)
-			accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet);
-		else
-			accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet);
+		accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet);
 		accept3 = perms.prompt;
 	}

@ -399,10 +396,8 @@ public:
 	void apply_equivalence_classes(std::map<transchar, transchar> &eq);

 	void compute_perms_table_ent(State *state, size_t pos,
-				     std::vector <aa_perms> &perms_table,
-				     bool prompt);
-	void compute_perms_table(std::vector <aa_perms> &perms_table,
-				 bool prompt);
+				     std::vector <aa_perms> &perms_table);
+  void compute_perms_table(std::vector <aa_perms> &perms_table);

 	unsigned int diffcount;
 	int oob_range;
--- a/parser/libapparmor_re/policy_compat.cc
+++ b/parser/libapparmor_re/policy_compat.cc
@ -133,8 +133,7 @@ struct aa_perms compute_fperms_user(uint32_t accept1, uint32_t accept2,
 	perms.prompt = map_old_perms(dfa_user_allow(accept3));
 	perms.audit = map_old_perms(dfa_user_audit(accept1, accept2));
 	perms.quiet = map_old_perms(dfa_user_quiet(accept1, accept2));
-	if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
-		perms.xindex = dfa_user_xindex(accept1);
+	perms.xindex = dfa_user_xindex(accept1);

 	compute_fperms_allow(&perms, accept1);
 	perms.prompt &= ~(perms.allow | perms.deny);
@ -150,8 +149,7 @@ struct aa_perms compute_fperms_other(uint32_t accept1, uint32_t accept2,
 	perms.prompt = map_old_perms(dfa_other_allow(accept3));
 	perms.audit = map_old_perms(dfa_other_audit(accept1, accept2));
 	perms.quiet = map_old_perms(dfa_other_quiet(accept1, accept2));
-	if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
-		perms.xindex = dfa_other_xindex(accept1);
+	perms.xindex = dfa_other_xindex(accept1);

 	compute_fperms_allow(&perms, accept1);
 	perms.prompt &= ~(perms.allow | perms.deny);
--- a/parser/parser_common.c
+++ b/parser/parser_common.c
@ -185,19 +185,9 @@ bool prompt_compat_mode_supported(int mode)
 	if (mode == PROMPT_COMPAT_PERMSV2 &&
 	    (kernel_supports_permstable32 && !kernel_supports_permstable32_v1))
 		return true;
-	/*
-	else if (mode == PROMPT_COMPAT_DEV &&
-		 kernel_supports_promptdev)
-		return true;
-	*/
 	else if (mode == PROMPT_COMPAT_FLAG &&
 		 kernel_supports_permstable32)
 		return true;
-	/*
-	else if (mode == PROMPT_COMPAT_PERMSV1 &&
-		 (kernel_supports_permstable32_v1))
-		return true;
-	*/
 	else if (mode == PROMPT_COMPAT_IGNORE)
 		return true;

@ -208,12 +198,8 @@ int default_prompt_compat_mode()
 {
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV2))
 		return PROMPT_COMPAT_PERMSV2;
-	if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV))
-		return PROMPT_COMPAT_DEV;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_FLAG))
 		return PROMPT_COMPAT_FLAG;
-	if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1))
-		return PROMPT_COMPAT_PERMSV1;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE))
 		return PROMPT_COMPAT_IGNORE;
 	return PROMPT_COMPAT_IGNORE;
@ -231,12 +217,6 @@ void print_prompt_compat_mode(FILE *f)
 	case PROMPT_COMPAT_PERMSV2:
 		fprintf(f, "permsv2");
 		break;
-	case PROMPT_COMPAT_PERMSV1:
-		fprintf(f, "permsv1");
-		break;
-	case PROMPT_COMPAT_DEV:
-		fprintf(stderr, "dev");
-		break;
 	default:
 		fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode);
 	}
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@ -797,12 +797,8 @@ static int process_arg(int c, char *optarg)
 	case ARG_PROMPT_COMPAT:
 		if (strcmp(optarg, "permsv2") == 0) {
 			prompt_compat_mode = PROMPT_COMPAT_PERMSV2;
-		} else if (strcmp(optarg, "permsv1") == 0) {
-			prompt_compat_mode = PROMPT_COMPAT_PERMSV1;
 		} else if (strcmp(optarg, "default") == 0) {
 			prompt_compat_mode = default_prompt_compat_mode();
-		} else if (strcmp(optarg, "dev") == 0) {
-			prompt_compat_mode = PROMPT_COMPAT_DEV;
 		} else if (strcmp(optarg, "ignore") == 0) {
 			prompt_compat_mode = PROMPT_COMPAT_IGNORE;
 		} else if (strcmp(optarg, "flag") == 0) {
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@ -244,10 +244,7 @@ int post_process_profile(Profile *profile, int debug_only)

 	error = post_process_policy_list(profile->hat_table, debug_only);

-	if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules)
-		profile->flags.flags |= FLAG_PROMPT_COMPAT;
-
-	else if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules)
+	if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules)
 		profile->flags.mode = MODE_PROMPT;

 	return error;
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -785,7 +785,7 @@ int process_profile_regex(Profile *prof)
 	/* under permstable32_v1 we weld file and policydb together, so
 	 * don't create the file blob here
 	 */
-	if (prof->dfa.rules->rule_count > 0 && prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
+	if (prof->dfa.rules->rule_count > 0) {
 		int xmatch_len = 0;
 		//fprintf(stderr, "Creating file DFA %d\n", kernel_supports_permstable32);
 		prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
@ -797,16 +797,6 @@ int process_profile_regex(Profile *prof)
 		prof->dfa.rules = NULL;
 		if (!prof->dfa.dfa)
 			goto out;
-/*
-		if (prof->dfa_size == 0) {
-			PERROR(_("profile %s: has merged rules (%s) with "
-				 "multiple x modifiers\n"),
-			       prof->name, (char *) prof->dfa);
-			free(prof->dfa);
-			prof->dfa = NULL;
-			goto out;
-		}
-*/
 	}

 	error = 0;
@ -1081,7 +1071,6 @@ static const char *mediates_ns = CLASS_STR(AA_CLASS_NS);
 static const char *mediates_posix_mqueue = CLASS_STR(AA_CLASS_POSIX_MQUEUE);
 static const char *mediates_sysv_mqueue = CLASS_STR(AA_CLASS_SYSV_MQUEUE);
 static const char *mediates_io_uring = CLASS_STR(AA_CLASS_IO_URING);
-static const char *deny_file = ".*";

 /* Set the mediates priority to the maximum possible. This is to help
 * ensure that the mediates information is not wiped out by a rule
@ -1164,37 +1153,7 @@ int process_profile_policydb(Profile *prof)
 			goto out;
 	}

-	if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
-		// MUST have file and policy
-		// This requires file rule processing happen first
-		if (!prof->dfa.rules->rule_count) {
-			// add null dfa
-			if (!prof->dfa.rules->add_rule(deny_file, 0, RULE_DENY, AA_MAY_READ, 0, parseopts))
-				goto out;
-		}
-		if (!prof->policy.rules->rule_count) {
-			if (!prof->policy.rules->add_rule(mediates_file, 0, RULE_DENY, AA_MAY_READ, 0, parseopts))
-				goto out;
-		}
-		int xmatch_len = 0;
-		prof->policy.dfa = prof->policy.rules->create_welded_dfablob(
-					prof->dfa.rules,
-					&prof->policy.size,
-					&xmatch_len,
-					&prof->policy.file_start,
-					prof->policy.perms_table, parseopts,
-					kernel_supports_permstable32_v1,
-					prof->uses_prompt_rules);
-		delete prof->policy.rules;
-		delete prof->dfa.rules;
-		prof->policy.rules = NULL;
-		prof->dfa.rules = NULL;
-		if (!prof->policy.dfa)
-			goto out;
-	} else if (prof->policy.rules->rule_count > 0 &&
-		   // yes not needed as covered above, just making sure
-		   // this doesn't get messed up in the future
-		   prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
+	if (prof->policy.rules->rule_count > 0) {
 		int xmatch_len = 0;
 		prof->policy.dfa = prof->policy.rules->create_dfablob(&prof->policy.size,
 						&xmatch_len,
--- a/parser/rule.h
+++ b/parser/rule.h
@ -28,9 +28,7 @@
 #define PROMPT_COMPAT_UNKNOWN  0
 #define PROMPT_COMPAT_IGNORE  1
 #define PROMPT_COMPAT_PERMSV2 2
-#define PROMPT_COMPAT_DEV 3
 #define PROMPT_COMPAT_FLAG 4
-#define PROMPT_COMPAT_PERMSV1 5


 class Profile;