From 0f36070a54764deb6e5186443d81ba05ea17216a Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 30 Jul 2025 14:50:45 -0700
Subject: [PATCH] parser: drop support for prompt_compat_permsv1, and
 prompt_compat_dev

prompt_compat_permsv1 and prompt_compat_dev were used to support
prompt during early dev. We do not support any kernel using these
so drop them.

This also allows us to drop the propogation of prompt as a parameter
through several functions.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/aare_rules.cc    |  2 +-
 parser/libapparmor_re/chfa.cc          | 12 +++----
 parser/libapparmor_re/hfa.cc           | 13 ++++----
 parser/libapparmor_re/hfa.h            | 13 +++-----
 parser/libapparmor_re/policy_compat.cc |  6 ++--
 parser/parser_common.c                 | 20 ------------
 parser/parser_main.c                   |  4 ---
 parser/parser_policy.c                 |  5 +--
 parser/parser_regex.c                  | 45 ++------------------------
 parser/rule.h                          |  2 --
 10 files changed, 20 insertions(+), 102 deletions(-)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index f2ddc564c..f63122d97 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -315,7 +315,7 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-			dfa.compute_perms_table(perms_table, prompt);
+			dfa.compute_perms_table(perms_table);
 			// TODO: move perms table to a class
 			if (opts.dump & DUMP_DFA_TRANS_TABLE && perms_table.size()) {
 				cerr << "Perms Table size: " << perms_table.size() << "\n";
diff --git a/parser/libapparmor_re/chfa.cc b/parser/libapparmor_re/chfa.cc
index d0e3a60af..74a0c995e 100644
--- a/parser/libapparmor_re/chfa.cc
+++ b/parser/libapparmor_re/chfa.cc
@@ -118,12 +118,10 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 		accept2.resize(max(dfa.states.size(), (size_t) 2));
 		dfa.nonmatching->map_perms_to_accept(accept[0],
 						     accept2[0],
-						     accept3,
-						     prompt);
+						     accept3);
 		dfa.start->map_perms_to_accept(accept[1],
 					       accept2[1],
-					       accept3,
-					       prompt);
+					       accept3);
 	}
 	next_check.resize(max(optimal, (size_t) dfa.max_range));
 	free_list.resize(next_check.size());
@@ -147,8 +145,7 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 				else
 					(*i)->map_perms_to_accept(accept[num.size()],
 								  accept2[num.size()],
-								  accept3,
-								  prompt);
+								  accept3);
 				num.insert(make_pair(*i, num.size()));
 			}
 			if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
@@ -170,8 +167,7 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 				else
 					i->second->map_perms_to_accept(accept[num.size()],
 								       accept2[num.size()],
-								       accept3,
-								       prompt);
+								       accept3);
 				num.insert(make_pair(i->second, num.size()));
 			}
 			if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc
index 45e0dff04..75699ce8a 100644
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -1367,13 +1367,12 @@ void DFA::apply_equivalence_classes(map<transchar, transchar> &eq)
 }
 
 void DFA::compute_perms_table_ent(State *state, size_t pos,
-				  vector <aa_perms> &perms_table,
-				  bool prompt)
+				  vector <aa_perms> &perms_table)
 {
 	uint32_t accept1, accept2, accept3;
 
 	// until front end doesn't map the way it does
-	state->map_perms_to_accept(accept1, accept2, accept3, prompt);
+	state->map_perms_to_accept(accept1, accept2, accept3);
 	if (filedfa) {
 		state->idx = pos * 2;
 		perms_table[pos*2] = compute_fperms_user(accept1, accept2, accept3);
@@ -1384,7 +1383,7 @@ void DFA::compute_perms_table_ent(State *state, size_t pos,
 	}
 }
 
-void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
+void DFA::compute_perms_table(vector <aa_perms> &perms_table)
 {
 	size_t mult = filedfa ? 2 : 1;
 	size_t pos = 2;
@@ -1393,13 +1392,13 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 	perms_table.resize(states.size() * mult);
 
 	// nonmatching and start need to be 0 and 1 so handle outside of loop
-	compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
-	compute_perms_table_ent(start, 1, perms_table, prompt);
+	compute_perms_table_ent(nonmatching, 0, perms_table);
+	compute_perms_table_ent(start, 1, perms_table);
 
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
 		if (*i == nonmatching || *i == start)
 			continue;
-		compute_perms_table_ent(*i, pos, perms_table, prompt);
+		compute_perms_table_ent(*i, pos, perms_table);
 		pos++;
 	}
 }
diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h
index c442a6a0f..8b00b1b63 100644
--- a/parser/libapparmor_re/hfa.h
+++ b/parser/libapparmor_re/hfa.h
@@ -289,13 +289,10 @@ public:
 
 	int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); }
 	void map_perms_to_accept(perm32_t &accept1, perm32_t &accept2,
-				 perm32_t &accept3, bool prompt)
+				 perm32_t &accept3)
 	{
 		accept1 = perms.allow;
-		if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV)
-			accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet);
-		else
-			accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet);
+		accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet);
 		accept3 = perms.prompt;
 	}
 
@@ -399,10 +396,8 @@ public:
 	void apply_equivalence_classes(std::map<transchar, transchar> &eq);
 
 	void compute_perms_table_ent(State *state, size_t pos,
-				     std::vector <aa_perms> &perms_table,
-				     bool prompt);
-	void compute_perms_table(std::vector <aa_perms> &perms_table,
-				 bool prompt);
+				     std::vector <aa_perms> &perms_table);
+  void compute_perms_table(std::vector <aa_perms> &perms_table);
 
 	unsigned int diffcount;
 	int oob_range;
diff --git a/parser/libapparmor_re/policy_compat.cc b/parser/libapparmor_re/policy_compat.cc
index 5e0e0ae83..d72a1a2b3 100644
--- a/parser/libapparmor_re/policy_compat.cc
+++ b/parser/libapparmor_re/policy_compat.cc
@@ -133,8 +133,7 @@ struct aa_perms compute_fperms_user(uint32_t accept1, uint32_t accept2,
 	perms.prompt = map_old_perms(dfa_user_allow(accept3));
 	perms.audit = map_old_perms(dfa_user_audit(accept1, accept2));
 	perms.quiet = map_old_perms(dfa_user_quiet(accept1, accept2));
-	if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
-		perms.xindex = dfa_user_xindex(accept1);
+	perms.xindex = dfa_user_xindex(accept1);
 
 	compute_fperms_allow(&perms, accept1);
 	perms.prompt &= ~(perms.allow | perms.deny);
@@ -150,8 +149,7 @@ struct aa_perms compute_fperms_other(uint32_t accept1, uint32_t accept2,
 	perms.prompt = map_old_perms(dfa_other_allow(accept3));
 	perms.audit = map_old_perms(dfa_other_audit(accept1, accept2));
 	perms.quiet = map_old_perms(dfa_other_quiet(accept1, accept2));
-	if (prompt_compat_mode != PROMPT_COMPAT_PERMSV1)
-		perms.xindex = dfa_other_xindex(accept1);
+	perms.xindex = dfa_other_xindex(accept1);
 
 	compute_fperms_allow(&perms, accept1);
 	perms.prompt &= ~(perms.allow | perms.deny);
diff --git a/parser/parser_common.c b/parser/parser_common.c
index ca9457c94..7b9effdcd 100644
--- a/parser/parser_common.c
+++ b/parser/parser_common.c
@@ -185,19 +185,9 @@ bool prompt_compat_mode_supported(int mode)
 	if (mode == PROMPT_COMPAT_PERMSV2 &&
 	    (kernel_supports_permstable32 && !kernel_supports_permstable32_v1))
 		return true;
-	/*
-	else if (mode == PROMPT_COMPAT_DEV &&
-		 kernel_supports_promptdev)
-		return true;
-	*/
 	else if (mode == PROMPT_COMPAT_FLAG &&
 		 kernel_supports_permstable32)
 		return true;
-	/*
-	else if (mode == PROMPT_COMPAT_PERMSV1 &&
-		 (kernel_supports_permstable32_v1))
-		return true;
-	*/
 	else if (mode == PROMPT_COMPAT_IGNORE)
 		return true;
 
@@ -208,12 +198,8 @@ int default_prompt_compat_mode()
 {
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV2))
 		return PROMPT_COMPAT_PERMSV2;
-	if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV))
-		return PROMPT_COMPAT_DEV;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_FLAG))
 		return PROMPT_COMPAT_FLAG;
-	if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1))
-		return PROMPT_COMPAT_PERMSV1;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE))
 		return PROMPT_COMPAT_IGNORE;
 	return PROMPT_COMPAT_IGNORE;
@@ -231,12 +217,6 @@ void print_prompt_compat_mode(FILE *f)
 	case PROMPT_COMPAT_PERMSV2:
 		fprintf(f, "permsv2");
 		break;
-	case PROMPT_COMPAT_PERMSV1:
-		fprintf(f, "permsv1");
-		break;
-	case PROMPT_COMPAT_DEV:
-		fprintf(stderr, "dev");
-		break;
 	default:
 		fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode);
 	}
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 960a688b7..4605f41cb 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -797,12 +797,8 @@ static int process_arg(int c, char *optarg)
 	case ARG_PROMPT_COMPAT:
 		if (strcmp(optarg, "permsv2") == 0) {
 			prompt_compat_mode = PROMPT_COMPAT_PERMSV2;
-		} else if (strcmp(optarg, "permsv1") == 0) {
-			prompt_compat_mode = PROMPT_COMPAT_PERMSV1;
 		} else if (strcmp(optarg, "default") == 0) {
 			prompt_compat_mode = default_prompt_compat_mode();
-		} else if (strcmp(optarg, "dev") == 0) {
-			prompt_compat_mode = PROMPT_COMPAT_DEV;
 		} else if (strcmp(optarg, "ignore") == 0) {
 			prompt_compat_mode = PROMPT_COMPAT_IGNORE;
 		} else if (strcmp(optarg, "flag") == 0) {
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 7e0743f3d..2023decdf 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -244,10 +244,7 @@ int post_process_profile(Profile *profile, int debug_only)
 
 	error = post_process_policy_list(profile->hat_table, debug_only);
 
-	if (prompt_compat_mode == PROMPT_COMPAT_DEV && profile->uses_prompt_rules)
-		profile->flags.flags |= FLAG_PROMPT_COMPAT;
-
-	else if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules)
+	if (prompt_compat_mode == PROMPT_COMPAT_FLAG && profile->uses_prompt_rules)
 		profile->flags.mode = MODE_PROMPT;
 
 	return error;
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 014ca27e9..97225d82a 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -785,7 +785,7 @@ int process_profile_regex(Profile *prof)
 	/* under permstable32_v1 we weld file and policydb together, so
 	 * don't create the file blob here
 	 */
-	if (prof->dfa.rules->rule_count > 0 && prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
+	if (prof->dfa.rules->rule_count > 0) {
 		int xmatch_len = 0;
 		//fprintf(stderr, "Creating file DFA %d\n", kernel_supports_permstable32);
 		prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
@@ -797,16 +797,6 @@ int process_profile_regex(Profile *prof)
 		prof->dfa.rules = NULL;
 		if (!prof->dfa.dfa)
 			goto out;
-/*
-		if (prof->dfa_size == 0) {
-			PERROR(_("profile %s: has merged rules (%s) with "
-				 "multiple x modifiers\n"),
-			       prof->name, (char *) prof->dfa);
-			free(prof->dfa);
-			prof->dfa = NULL;
-			goto out;
-		}
-*/
 	}
 
 	error = 0;
@@ -1081,7 +1071,6 @@ static const char *mediates_ns = CLASS_STR(AA_CLASS_NS);
 static const char *mediates_posix_mqueue = CLASS_STR(AA_CLASS_POSIX_MQUEUE);
 static const char *mediates_sysv_mqueue = CLASS_STR(AA_CLASS_SYSV_MQUEUE);
 static const char *mediates_io_uring = CLASS_STR(AA_CLASS_IO_URING);
-static const char *deny_file = ".*";
 
 /* Set the mediates priority to the maximum possible. This is to help
  * ensure that the mediates information is not wiped out by a rule
@@ -1164,37 +1153,7 @@ int process_profile_policydb(Profile *prof)
 			goto out;
 	}
 
-	if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
-		// MUST have file and policy
-		// This requires file rule processing happen first
-		if (!prof->dfa.rules->rule_count) {
-			// add null dfa
-			if (!prof->dfa.rules->add_rule(deny_file, 0, RULE_DENY, AA_MAY_READ, 0, parseopts))
-				goto out;
-		}
-		if (!prof->policy.rules->rule_count) {
-			if (!prof->policy.rules->add_rule(mediates_file, 0, RULE_DENY, AA_MAY_READ, 0, parseopts))
-				goto out;
-		}
-		int xmatch_len = 0;
-		prof->policy.dfa = prof->policy.rules->create_welded_dfablob(
-					prof->dfa.rules,
-					&prof->policy.size,
-					&xmatch_len,
-					&prof->policy.file_start,
-					prof->policy.perms_table, parseopts,
-					kernel_supports_permstable32_v1,
-					prof->uses_prompt_rules);
-		delete prof->policy.rules;
-		delete prof->dfa.rules;
-		prof->policy.rules = NULL;
-		prof->dfa.rules = NULL;
-		if (!prof->policy.dfa)
-			goto out;
-	} else if (prof->policy.rules->rule_count > 0 &&
-		   // yes not needed as covered above, just making sure
-		   // this doesn't get messed up in the future
-		   prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
+	if (prof->policy.rules->rule_count > 0) {
 		int xmatch_len = 0;
 		prof->policy.dfa = prof->policy.rules->create_dfablob(&prof->policy.size,
 						&xmatch_len,
diff --git a/parser/rule.h b/parser/rule.h
index f8a101634..6a0bec8ae 100644
--- a/parser/rule.h
+++ b/parser/rule.h
@@ -28,9 +28,7 @@
 #define PROMPT_COMPAT_UNKNOWN  0
 #define PROMPT_COMPAT_IGNORE  1
 #define PROMPT_COMPAT_PERMSV2 2
-#define PROMPT_COMPAT_DEV 3
 #define PROMPT_COMPAT_FLAG 4
-#define PROMPT_COMPAT_PERMSV1 5
 
 
 class Profile;