From 3b11aa9050f2832aba4f7f503111e9d2b0d57aed Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Sun, 8 Jun 2008 09:02:27 +0000
Subject: [PATCH] Remove hat rules.  In large policies the number of hat rules
 becomes problematic, hat rules can be replaced with simple hat flag on a
 profile.

---
 parser/parser_policy.c | 68 ------------------------------------------
 1 file changed, 68 deletions(-)

diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 7c0c5ee13..13890d90c 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -344,9 +344,6 @@ int post_process_alias(void)
 #define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
 
 /* add file rules to access /proc files to call change_hat()
- * add file rules to be able to change_hat, this restriction keeps
- * change_hat from being able to access local profiles that are not
- * meant to be used as hats
  */
 static void __add_hat_rules_parent(const void *nodep, const VISIT value,
 				   const int __unused depth)
@@ -365,26 +362,6 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
 	if ((*t)->local)
 		return;
 
-	/* add rule to grant permission to change_hat - AA 2.3 requirement,
-	 * rules are added to the parent of the hat
-	 */
-	if ((*t)->parent) {
-		char *buffer = malloc(strlen((*t)->name) + 1);
-		if (!buffer) {
-			PERROR("Memory allocation error\n");
-			exit(1);
-		}
-
-		strcpy(buffer, (*t)->name);
-
-		entry = new_entry(NULL, buffer, AA_CHANGE_HAT, NULL);
-		if (!entry) {
-			PERROR("Memory allocation error\n");
-			exit(1);
-		}
-		add_entry_to_policy((*t)->parent, entry);
-	}
-
 /* later
 	entry = new_entry(strdup(CHANGEHAT_PATH), AA_MAY_WRITE);
 	if (!entry) {
@@ -397,55 +374,10 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
 	twalk((*t)->hat_table, __add_hat_rules_parent);
 }
 
-/* add the same hat rules to the hats as the parent so that hats can
- * change to sibling hats
- */
-static void __add_hat_rules_hats(const void *nodep, const VISIT value,
-				 const int __unused depth)
-{
-	struct codomain **t = (struct codomain **) nodep;
-
-	if (value == preorder || value == endorder)
-		return;
-
-	/* don't add hat rules if a parent profile with no hats */
-	if (!(*t)->hat_table && !(*t)->parent)
-		return;
-
-	/* don't add hat rules for local_profiles */
-	if ((*t)->local)
-		return;
-
-	/* hat */
-	if ((*t)->parent) {
-		struct cod_entry *entry, *new_ent;
-		list_for_each((*t)->parent->entries, entry) {
-			if (entry->mode & AA_CHANGE_HAT) {
-				char *buffer = strdup(entry->name);
-				if (!buffer) {
-					PERROR("Memory allocation error\n");
-					exit(1);
-				}
-
-				new_ent = new_entry(NULL, buffer,
-						    AA_CHANGE_HAT, NULL);
-				if (!entry) {
-					PERROR("Memory allocation error\n");
-					exit(1);
-				}
-				add_entry_to_policy((*t), new_ent);
-			}
-		}
-	}
-
-	twalk((*t)->hat_table, __add_hat_rules_hats);
-}
-
 static int add_hat_rules(void)
 {
 	twalk(policy_list, __add_hat_rules_parent);
 
-	twalk(policy_list, __add_hat_rules_hats);
 	return 0;
 }