[apparmor] RFC [patch 1/10] Remove the old unused ptrace code

John Johansen john.johansen at canonical.com
Thu Feb 13 00:59:49 UTC 2014 

Remove the old unused ptrace code that snuck in years ago. It was
never used, never supported, and we are doing it differently now.

Signed-off-by: John Johansen <john.johansen at canonical.com>

---
 parser/immunix.h      |    7 +------
 parser/parser_alias.c |    3 +--
 parser/parser_merge.c |    6 ------
 parser/parser_regex.c |   15 ---------------
 parser/parser_yacc.y  |   28 ++++------------------------
 5 files changed, 6 insertions(+), 53 deletions(-)

--- 2.9-test.orig/parser/immunix.h
+++ 2.9-test/parser/immunix.h
@@ -56,10 +56,6 @@
 
 #define AA_FILE_PERMS			(AA_USER_PERMS | AA_OTHER_PERMS )
 
-#define AA_USER_PTRACE			(1 << 28)
-#define AA_OTHER_PTRACE			(1 << 29)
-#define AA_PTRACE_PERMS			(AA_USER_PTRACE | AA_OTHER_PTRACE)
-
 #define AA_CHANGE_HAT			(1 << 30)
 #define AA_ONEXEC			(1 << 30)
 #define AA_CHANGE_PROFILE		(1 << 31)
@@ -81,8 +77,7 @@
 #define AA_EXEC_PROFILE			(AA_EXEC_MOD_1)
 #define AA_EXEC_LOCAL			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
 
-#define AA_VALID_PERMS			(AA_FILE_PERMS | AA_PTRACE_PERMS | \
-					 AA_OTHER_PERMS)
+#define AA_VALID_PERMS			(AA_FILE_PERMS | AA_OTHER_PERMS)
 
 #define AA_USER_EXEC			(AA_MAY_EXEC << AA_USER_SHIFT)
 #define AA_OTHER_EXEC			(AA_MAY_EXEC << AA_OTHER_SHIFT)
--- 2.9-test.orig/parser/parser_alias.c
+++ 2.9-test/parser/parser_alias.c
@@ -120,8 +120,7 @@
 	len = strlen((*t)->from);
 
 	list_for_each(target_list, entry) {
-		if (entry->mode & (AA_SHARED_PERMS & AA_PTRACE_PERMS) ||
-		    entry->alias_ignore)
+		if ((entry->mode & AA_SHARED_PERMS) || entry->alias_ignore)
 			continue;
 		if (entry->name && strncmp((*t)->from, entry->name, len) == 0) {
 			char *n = do_alias(*t, entry->name);
--- 2.9-test.orig/parser/parser_merge.c
+++ 2.9-test/parser/parser_merge.c
@@ -65,12 +65,6 @@
 	if ((*e1)->deny != (*e2)->deny)
 		return (*e1)->deny < (*e2)->deny ? -1 : 1;
 
-	/* rules with ptrace and change_profile can only merge with
-	 * rules with exact same perm */
-	if (((*e1)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)) !=
-	    ((*e2)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)))
-		return 1;
-
 	return strcmp((*e1)->name, (*e2)->name);
 }
 
--- 2.9-test.orig/parser/parser_regex.c
+++ 2.9-test/parser/parser_regex.c
@@ -493,8 +493,6 @@
 	if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
 
-	/* relying on ptrace and change_profile not getting merged earlier */
-
 	/* the link bit on the first pair entry should not get masked
 	 * out by a deny rule, as both pieces of the link pair must
 	 * match.  audit info for the link is carried on the second
@@ -556,19 +554,6 @@
 		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags))
 			return FALSE;
 	}
-	if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
-		int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
-		if (entry->ns) {
-			const char *vec[2];
-			vec[0] = entry->ns;
-			vec[1] = entry->name;
-			if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, dfaflags))
-			    return FALSE;
-		} else {
-		  if (!aare_add_rule(dfarules, entry->name, 0, mode, 0, dfaflags))
-				return FALSE;
-		}
-	}
 	return TRUE;
 }
 
--- 2.9-test.orig/parser/parser_yacc.y
+++ 2.9-test/parser/parser_yacc.y
@@ -203,7 +203,6 @@
 %type <user_entry> file_rule
 %type <user_entry> file_rule_tail
 %type <user_entry> link_rule
-%type <user_entry> ptrace_rule
 %type <user_entry> frule
 %type <mnt_entry> mnt_rule
 %type <cond_entry> opt_conds
@@ -558,9 +557,9 @@
 			yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"));
 
 		if ($2.owner == 1)
-			$3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
+			$3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
 		else if ($2.owner == 2)
-			$3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
+			$3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
 		/* only set audit ctl quieting if the rule is not audited */
 		if (($2.deny && !$2.audit) || (!$2.deny && $2.audit))
 			$3->audit = $3->mode & ~ALL_AA_EXEC_TYPE;
@@ -589,9 +588,9 @@
 					yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
 			}
 			if ($2.owner == 1)
- 				entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
+ 				entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
 			else if ($2.owner == 2)
-				entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
+				entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
 
 			if ($2.audit && !entry->deny)
 				entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;
@@ -953,7 +952,6 @@
 
 rule: file_rule { $$ = $1; }
 	| link_rule { $$ = $1; }
-	| ptrace_rule {$$ = $1; }
 
 opt_unsafe: { /* nothing */ $$ = 0; }
 	| TOK_UNSAFE { $$ = 1; };
@@ -1032,24 +1030,6 @@
 		$$ = entry;
 	};
 
-ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
-	{
-		struct cod_entry *entry;
-		entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
-		if (!entry)
-			yyerror(_("Memory allocation error."));
-		$$ = entry;
-	};
-
-ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
-	{
-		struct cod_entry *entry;
-		entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
-		if (!entry)
-			yyerror(_("Memory allocation error."));
-		$$ = entry;
-	};
-
 network_rule: TOK_NETWORK TOK_END_OF_RULE
 	{
 		size_t family;

More information about the AppArmor mailing list