diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc index f2ddc564c..f63122d97 100644 --- a/parser/libapparmor_re/aare_rules.cc +++ b/parser/libapparmor_re/aare_rules.cc @@ -315,7 +315,7 @@ CHFA *aare_rules::create_chfa(int *min_match_len, //cerr << "Checking extended perms " << extended_perms << "\n"; if (extended_perms) { //cerr << "creating permstable\n"; - dfa.compute_perms_table(perms_table, prompt); + dfa.compute_perms_table(perms_table); // TODO: move perms table to a class if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) { cerr << "Perms Table size: " << perms_table.size() << "\n"; diff --git a/parser/libapparmor_re/chfa.cc b/parser/libapparmor_re/chfa.cc index d0e3a60af..74a0c995e 100644 --- a/parser/libapparmor_re/chfa.cc +++ b/parser/libapparmor_re/chfa.cc @@ -118,12 +118,10 @@ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, accept2.resize(max(dfa.states.size(), (size_t) 2)); dfa.nonmatching->map_perms_to_accept(accept[0], accept2[0], - accept3, - prompt); + accept3); dfa.start->map_perms_to_accept(accept[1], accept2[1], - accept3, - prompt); + accept3); } next_check.resize(max(optimal, (size_t) dfa.max_range)); free_list.resize(next_check.size()); @@ -147,8 +145,7 @@ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, else (*i)->map_perms_to_accept(accept[num.size()], accept2[num.size()], - accept3, - prompt); + accept3); num.insert(make_pair(*i, num.size())); } if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) { @@ -170,8 +167,7 @@ CHFA::CHFA(DFA &dfa, map &eq, optflags const &opts, else i->second->map_perms_to_accept(accept[num.size()], accept2[num.size()], - accept3, - prompt); + accept3); num.insert(make_pair(i->second, num.size())); } if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) { diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc index 45e0dff04..75699ce8a 100644 --- a/parser/libapparmor_re/hfa.cc +++ b/parser/libapparmor_re/hfa.cc @@ -1367,13 +1367,12 @@ void DFA::apply_equivalence_classes(map &eq) } void DFA::compute_perms_table_ent(State *state, size_t pos, - vector &perms_table, - bool prompt) + vector &perms_table) { uint32_t accept1, accept2, accept3; // until front end doesn't map the way it does - state->map_perms_to_accept(accept1, accept2, accept3, prompt); + state->map_perms_to_accept(accept1, accept2, accept3); if (filedfa) { state->idx = pos * 2; perms_table[pos*2] = compute_fperms_user(accept1, accept2, accept3); @@ -1384,7 +1383,7 @@ void DFA::compute_perms_table_ent(State *state, size_t pos, } } -void DFA::compute_perms_table(vector &perms_table, bool prompt) +void DFA::compute_perms_table(vector &perms_table) { size_t mult = filedfa ? 2 : 1; size_t pos = 2; @@ -1393,13 +1392,13 @@ void DFA::compute_perms_table(vector &perms_table, bool prompt) perms_table.resize(states.size() * mult); // nonmatching and start need to be 0 and 1 so handle outside of loop - compute_perms_table_ent(nonmatching, 0, perms_table, prompt); - compute_perms_table_ent(start, 1, perms_table, prompt); + compute_perms_table_ent(nonmatching, 0, perms_table); + compute_perms_table_ent(start, 1, perms_table); for (Partition::iterator i = states.begin(); i != states.end(); i++) { if (*i == nonmatching || *i == start) continue; - compute_perms_table_ent(*i, pos, perms_table, prompt); + compute_perms_table_ent(*i, pos, perms_table); pos++; } } diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h index c442a6a0f..8b00b1b63 100644 --- a/parser/libapparmor_re/hfa.h +++ b/parser/libapparmor_re/hfa.h @@ -289,13 +289,10 @@ public: int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); } void map_perms_to_accept(perm32_t &accept1, perm32_t &accept2, - perm32_t &accept3, bool prompt) + perm32_t &accept3) { accept1 = perms.allow; - if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV) - accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet); - else - accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet); + accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet); accept3 = perms.prompt; } @@ -399,10 +396,8 @@ public: void apply_equivalence_classes(std::map &eq); void compute_perms_table_ent(State *state, size_t pos, - std::vector &perms_table, - bool prompt); - void compute_perms_table(std::vector &perms_table, - bool prompt); + std::vector &perms_table); + void compute_perms_table(std::vector &perms_table); unsigned int diffcount; int oob_range; diff --git a/parser/libapparmor_re/policy_compat.cc b/parser/libapparmor_re/policy_compat.cc index 5e0e0ae83..d72a1a2b3 100644 --- a/parser/libapparmor_re/policy_compat.cc +++ b/parser/libapparmor_re/policy_compat.cc @@ -133,8 +133,7 @@ struct aa_perms compute_fperms_user(uint32_t accept1, uint32_t accept2, perms.prompt = map_old_perms(dfa_user_allow(accept3)); perms.audit = map_old_perms(dfa_user_audit(accept1, accept2)); perms.quiet = map_old_perms(dfa_user_quiet(accept1, accept2)); - if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1) - perms.xindex = dfa_user_xindex(accept1); + perms.xindex = dfa_user_xindex(accept1); compute_fperms_allow(&perms, accept1); perms.prompt &= ~(perms.allow | perms.deny); @@ -150,8 +149,7 @@ struct aa_perms compute_fperms_other(uint32_t accept1, uint32_t accept2, perms.prompt = map_old_perms(dfa_other_allow(accept3)); perms.audit = map_old_perms(dfa_other_audit(accept1, accept2)); perms.quiet = map_old_perms(dfa_other_quiet(accept1, accept2)); - if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1) - perms.xindex = dfa_other_xindex(accept1); + perms.xindex = dfa_other_xindex(accept1); compute_fperms_allow(&perms, accept1); perms.prompt &= ~(perms.allow | perms.deny); diff --git a/parser/parser_common.c b/parser/parser_common.c index ca9457c94..7b9effdcd 100644 --- a/parser/parser_common.c +++ b/parser/parser_common.c @@ -185,19 +185,9 @@ bool prompt_compat_mode_supported(int mode) if (mode == PROMPT_COMPAT_PERMSV2 && (kernel_supports_permstable32 && !kernel_supports_permstable32_v1)) return true; - /* - else if (mode == PROMPT_COMPAT_DEV && - kernel_supports_promptdev) - return true; - */ else if (mode == PROMPT_COMPAT_FLAG && kernel_supports_permstable32) return true; - /* - else if (mode == PROMPT_COMPAT_PERMSV1 && - (kernel_supports_permstable32_v1)) - return true; - */ else if (mode == PROMPT_COMPAT_IGNORE) return true; @@ -208,12 +198,8 @@ int default_prompt_compat_mode() { if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV2)) return PROMPT_COMPAT_PERMSV2; - if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV)) - return PROMPT_COMPAT_DEV; if (prompt_compat_mode_supported(PROMPT_COMPAT_FLAG)) return PROMPT_COMPAT_FLAG; - if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1)) - return PROMPT_COMPAT_PERMSV1; if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE)) return PROMPT_COMPAT_IGNORE; return PROMPT_COMPAT_IGNORE; @@ -231,12 +217,6 @@ void print_prompt_compat_mode(FILE *f) case PROMPT_COMPAT_PERMSV2: fprintf(f, "permsv2"); break; - case PROMPT_COMPAT_PERMSV1: - fprintf(f, "permsv1"); - break; - case PROMPT_COMPAT_DEV: - fprintf(stderr, "dev"); - break; default: fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode); } diff --git a/parser/parser_main.c b/parser/parser_main.c index 960a688b7..4605f41cb 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -797,12 +797,8 @@ static int process_arg(int c, char *optarg) case ARG_PROMPT_COMPAT: if (strcmp(optarg, "permsv2") == 0) { prompt_compat_mode = PROMPT_COMPAT_PERMSV2; - } else if (strcmp(optarg, "permsv1") == 0) { - prompt_compat_mode = PROMPT_COMPAT_PERMSV1; } else if (strcmp(optarg, "default") == 0) { prompt_compat_mode = default_prompt_compat_mode(); - } else if (strcmp(optarg, "dev") == 0) { - prompt_compat_mode = PROMPT_COMPAT_DEV; } else if (strcmp(optarg, "ignore") == 0) { prompt_compat_mode = PROMPT_COMPAT_IGNORE; } else if (strcmp(optarg, "flag") == 0) { diff --git a/parser/parser_policy.c b/parser/parser_policy.c index 7e0743f3d..2023decdf 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -244,10 +244,7 @@ int post_process_profile(Profile *profile, int debug_only) error = post_process_policy_list(profile->hat_table, debug_only); - if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules) - profile->flags.flags |= FLAG_PROMPT_COMPAT; - - else if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules) + if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules) profile->flags.mode = MODE_PROMPT; return error; diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 014ca27e9..97225d82a 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -785,7 +785,7 @@ int process_profile_regex(Profile *prof) /* under permstable32_v1 we weld file and policydb together, so * don't create the file blob here */ - if (prof->dfa.rules->rule_count > 0 && prompt_compat_mode != PROMPT_COMPAT_PERMSV1) { + if (prof->dfa.rules->rule_count > 0) { int xmatch_len = 0; //fprintf(stderr, "Creating file DFA %d\n", kernel_supports_permstable32); prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size, @@ -797,16 +797,6 @@ int process_profile_regex(Profile *prof) prof->dfa.rules = NULL; if (!prof->dfa.dfa) goto out; -/* - if (prof->dfa_size == 0) { - PERROR(_("profile %s: has merged rules (%s) with " - "multiple x modifiers\n"), - prof->name, (char *) prof->dfa); - free(prof->dfa); - prof->dfa = NULL; - goto out; - } -*/ } error = 0; @@ -1081,7 +1071,6 @@ static const char *mediates_ns = CLASS_STR(AA_CLASS_NS); static const char *mediates_posix_mqueue = CLASS_STR(AA_CLASS_POSIX_MQUEUE); static const char *mediates_sysv_mqueue = CLASS_STR(AA_CLASS_SYSV_MQUEUE); static const char *mediates_io_uring = CLASS_STR(AA_CLASS_IO_URING); -static const char *deny_file = ".*"; /* Set the mediates priority to the maximum possible. This is to help * ensure that the mediates information is not wiped out by a rule @@ -1164,37 +1153,7 @@ int process_profile_policydb(Profile *prof) goto out; } - if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) { - // MUST have file and policy - // This requires file rule processing happen first - if (!prof->dfa.rules->rule_count) { - // add null dfa - if (!prof->dfa.rules->add_rule(deny_file, 0, RULE_DENY, AA_MAY_READ, 0, parseopts)) - goto out; - } - if (!prof->policy.rules->rule_count) { - if (!prof->policy.rules->add_rule(mediates_file, 0, RULE_DENY, AA_MAY_READ, 0, parseopts)) - goto out; - } - int xmatch_len = 0; - prof->policy.dfa = prof->policy.rules->create_welded_dfablob( - prof->dfa.rules, - &prof->policy.size, - &xmatch_len, - &prof->policy.file_start, - prof->policy.perms_table, parseopts, - kernel_supports_permstable32_v1, - prof->uses_prompt_rules); - delete prof->policy.rules; - delete prof->dfa.rules; - prof->policy.rules = NULL; - prof->dfa.rules = NULL; - if (!prof->policy.dfa) - goto out; - } else if (prof->policy.rules->rule_count > 0 && - // yes not needed as covered above, just making sure - // this doesn't get messed up in the future - prompt_compat_mode != PROMPT_COMPAT_PERMSV1) { + if (prof->policy.rules->rule_count > 0) { int xmatch_len = 0; prof->policy.dfa = prof->policy.rules->create_dfablob(&prof->policy.size, &xmatch_len, diff --git a/parser/rule.h b/parser/rule.h index f8a101634..6a0bec8ae 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -28,9 +28,7 @@ #define PROMPT_COMPAT_UNKNOWN 0 #define PROMPT_COMPAT_IGNORE 1 #define PROMPT_COMPAT_PERMSV2 2 -#define PROMPT_COMPAT_DEV 3 #define PROMPT_COMPAT_FLAG 4 -#define PROMPT_COMPAT_PERMSV1 5 class Profile;