From 747d7da4022b836e229713fc100697b94cea7f75 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 20 Aug 2009 15:26:12 +0000
Subject: [PATCH] Revert broken 64bit capabilities patch

---
 parser/parser.h           | 10 +++++-----
 parser/parser_interface.c | 26 +++++---------------------
 parser/parser_misc.c      |  6 ++----
 parser/parser_policy.c    | 10 +++++-----
 parser/parser_yacc.y      | 19 ++++---------------
 5 files changed, 21 insertions(+), 50 deletions(-)

diff --git a/parser/parser.h b/parser/parser.h
index f785989f0..5b96b9f6d 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -92,11 +92,11 @@ struct codomain {
 
 	struct flagval flags;
 
-	uint64_t capabilities;
-	uint64_t audit_caps;
-	uint64_t deny_caps;
-	uint64_t quiet_caps;
-	uint64_t set_caps;
+	unsigned int capabilities;
+	unsigned int audit_caps;
+	unsigned int deny_caps;
+	unsigned int quiet_caps;
+	unsigned int set_caps;
 
 	unsigned int *network_allowed;		/* array of type masks
 						 * indexed by AF_FAMILY */
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index 149b834e5..98932281d 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -610,7 +610,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 			 int flattened)
 {
 	struct cod_entry *entry;
-	uint64_t allowed_caps;
+	u32 allowed_caps;
 
 	if (!sd_write_struct(p, "profile"))
 		return 0;
@@ -650,30 +650,14 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 		return 0;
 	if (!sd_write_structend(p))
 		return 0;
-
-#define low_caps(X) ((u32) (X))
-#define high_caps(X) ((u32) ((X) >> 32))
 	allowed_caps = (profile->capabilities | profile->set_caps) & ~profile->deny_caps;
-	if (!sd_write32(p, low_caps(allowed_caps & 0xff)))
+	if (!sd_write32(p, allowed_caps))
 		return 0;
-	if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps)))
+	if (!sd_write32(p, allowed_caps & profile->audit_caps))
 		return 0;
-	if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps)))
+	if (!sd_write32(p, profile->deny_caps & profile->quiet_caps))
 		return 0;
-	if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps)))
-		return 0;
-
-	if (!sd_write_struct(p, "caps64"))
-		return 0;
-	if (!sd_write32(p, high_caps(allowed_caps & 0xff)))
-		return 0;
-	if (!sd_write32(p, high_caps(allowed_caps & profile->audit_caps)))
-		return 0;
-	if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps)))
-		return 0;
-	if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps)))
-		return 0;
-	if (!sd_write_structend(p))
+	if (!sd_write32(p, profile->set_caps & ~profile->deny_caps))
 		return 0;
 
 	if (!sd_serialize_rlimits(p, &profile->rlimits))
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index c891f412e..540be986a 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -806,9 +806,7 @@ static const char *capnames[] = {
 	"mknod",
 	"lease",
 	"audit_write",
-	"audit_control",
-	"setfcap",
-	"mac_override"
+	"audit_control"
 };
 
 const char *capability_to_name(unsigned int cap)
@@ -839,7 +837,7 @@ void debug_cod_list(struct codomain *cod)
 	
 	printf("Capabilities:\t");
 	for (i = 0; i < (sizeof(capnames)/sizeof(char *)); i++) {
-		if (((1ull << i) & cod->capabilities) != 0) {
+		if (((1 << i) & cod->capabilities) != 0) {
 			printf ("%s ", capability_to_name(i));
 		}
 	}
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 2844799bf..fcd84765c 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -639,11 +639,11 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
 	a->flags.complain = a->flags.complain || b->flags.complain;
 	a->flags.audit = a->flags.audit || b->flags.audit;
 
-	a->capabilities |= b->capabilities;
-	a->audit_caps |= b->audit_caps;
-	a->deny_caps |= b->deny_caps;
-	a->quiet_caps |= b->quiet_caps;
-	a->set_caps |= b->set_caps;
+	a->capabilities = a->capabilities | b->capabilities;
+	a->audit_caps = a->audit_caps | b->audit_caps;
+	a->deny_caps = a->deny_caps | b->deny_caps;
+	a->quiet_caps = a->quiet_caps | b->quiet_caps;
+	a->set_caps = a->set_caps | b->set_caps;
 
 	if (a->network_allowed) {
 		size_t i;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index e22833a6b..34ac0a76f 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -44,24 +44,15 @@
 #ifndef CAP_AUDIT_CONTROL
 #define CAP_AUDIT_CONTROL 30
 #endif
-#ifndef CAP_SETFCAP
-#define CAP_SETFCAP	     31
-#endif
-#ifndef CAP_MAC_OVERRIDE
-#define CAP_MAC_OVERRIDE     32
-#endif
+
+/* A few utility defines */
 
 #define CIDR_32 htonl(0xffffffff)
 #define CIDR_24 htonl(0xffffff00)
 #define CIDR_16 htonl(0xffff0000)
 #define CIDR_8  htonl(0xff000000)
 
-/* undefine linux/capability.h CAP_TO_MASK */
-#ifdef CAP_TO_MASK
-#undef CAP_TO_MASK
-#endif
-
-#define CAP_TO_MASK(x) (1ull << (x))
+#define CAP_TO_MASK(x) (1 << (x))
 
 /* from lex_config, for nice error messages */
 /* extern char *current_file; */
@@ -156,7 +147,7 @@ struct codomain *do_local_profile(struct codomain *cod, char *name, int mode, in
 	struct cod_entry *user_entry;
 	struct flagval flags;
 	int fmode;
-	uint64_t cap;
+	unsigned int cap;
 	unsigned int allowed_protocol;
 	char *set_var;
 	char *bool_var;
@@ -1054,7 +1045,6 @@ caps: caps TOK_ID
 		int cap = name_to_capability($2);
 		if (cap == -1)
 			yyerror(_("Invalid capability %s."), $2);
-		free($2);
 		$$ = $1 | CAP_TO_MASK(cap);
 	}
 
@@ -1063,7 +1053,6 @@ caps: TOK_ID
 		int cap = name_to_capability($1);
 		if (cap == -1)
 			yyerror(_("Invalid capability %s."), $1);
-		free($1);
 		$$ = CAP_TO_MASK(cap);
 	};