[apparmor] [PATCH 08/13] Remove setting of capabilities from the syntax

John Johansen john.johansen at canonical.com
Tue Feb 14 17:32:30 UTC 2012 

The ability to set capabilities from a profile has been removed from the
kernel for several releases.  Remove it from the parser as well.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser.h                               |    1 -
 parser/parser_interface.c                     |    7 +++----
 parser/parser_misc.c                          |    2 --
 parser/parser_policy.c                        |    1 -
 parser/parser_yacc.y                          |   12 ------------
 parser/tst/simple_tests/capability/set/ok1.sd |    2 +-
 6 files changed, 4 insertions(+), 21 deletions(-)

diff --git a/parser/parser.h b/parser/parser.h
index 7d71fd8..ebe0e29 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -112,7 +112,6 @@ struct codomain {
 	uint64_t audit_caps;
 	uint64_t deny_caps;
 	uint64_t quiet_caps;
-	uint64_t set_caps;
 
 	unsigned int *network_allowed;		/* array of type masks
 						 * indexed by AF_FAMILY */
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index cc291a7..6b6d57d 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -609,15 +609,14 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 
 #define low_caps(X) ((u32) ((X) & 0xffffffff))
 #define high_caps(X) ((u32) (((X) >> 32) & 0xffffffff))
-	allowed_caps = (profile->capabilities | profile->set_caps) &
-		~profile->deny_caps;
+	allowed_caps = (profile->capabilities) & ~profile->deny_caps;
 	if (!sd_write32(p, low_caps(allowed_caps)))
 		return 0;
 	if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps)))
 		return 0;
 	if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps)))
 		return 0;
-	if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps)))
+	if (!sd_write32(p, 0))
 		return 0;
 
 	if (!sd_write_struct(p, "caps64"))
@@ -628,7 +627,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 		return 0;
 	if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps)))
 		return 0;
-	if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps)))
+	if (!sd_write32(p, 0))
 		return 0;
 	if (!sd_write_structend(p))
 		return 0;
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index ebaa887..ea77da7 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -912,8 +912,6 @@ void debug_capabilities(struct codomain *cod)
 		__debug_capabilities(cod->deny_caps, "Deny Caps");
 	if (cod->quiet_caps != 0ull)
 		__debug_capabilities(cod->quiet_caps, "Quiet Caps");
-	if (cod->set_caps != 0ull)
-		__debug_capabilities(cod->set_caps, "Set Capabilities");
 }
 
 void debug_cod_list(struct codomain *cod)
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 803a620..1d459d9 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -645,7 +645,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
 	a->audit_caps |= b->audit_caps;
 	a->deny_caps |= b->deny_caps;
 	a->quiet_caps |= b->quiet_caps;
-	a->set_caps |= b->set_caps;
 
 	if (a->network_allowed) {
 		size_t i;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index fff7e23..c331379 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -182,7 +182,6 @@ void add_local_entry(struct codomain *cod);
 %type <flags>	flagval
 %type <cap>	caps
 %type <cap>	capability
-%type <cap>	set_caps
 %type <user_entry> change_profile
 %type <set_var> TOK_SET_VAR
 %type <bool_var> TOK_BOOL_VAR
@@ -674,12 +673,6 @@ rules:	rules opt_audit_flag capability
 		$$ = $1;
 	};
 
-rules: rules set_caps
-	{
-		$1->set_caps |= $2;
-		$$ = $1;
-	};
-
 rules:	rules hat
 	{
 		PDEBUG("Matched: hat rule\n");
@@ -1050,11 +1043,6 @@ change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID T
 	};
 
 
-set_caps:	TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
-	{
-		$$ = $3;
-	};
-
 capability:	TOK_CAPABILITY caps TOK_END_OF_RULE
 	{
 		if ($2 == 0) {
diff --git a/parser/tst/simple_tests/capability/set/ok1.sd b/parser/tst/simple_tests/capability/set/ok1.sd
index 1bf78fd..eed2470 100644
--- a/parser/tst/simple_tests/capability/set/ok1.sd
+++ b/parser/tst/simple_tests/capability/set/ok1.sd
@@ -1,6 +1,6 @@
 #
 #=DESCRIPTION validate some uses of capabilties.
-#=EXRESULT PASS
+#=EXRESULT FAIL
 # vim:syntax=subdomain
 # Last Modified: Sun Apr 17 19:44:44 2005
 #
-- 
1.7.9

More information about the AppArmor mailing list