[apparmor] [patch 01/24] Remove the old unused ptrace code that snuck in years ago.
Seth Arnold
seth.arnold at canonical.com
Tue Mar 11 04:40:52 UTC 2014
On Fri, Mar 07, 2014 at 09:31:22AM -0800, john.johansen at canonical.com wrote:
> It was never used, never supported, and we are doing it differently now.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
>
> ---
> parser/immunix.h | 7 +------
> parser/parser_alias.c | 3 +--
> parser/parser_merge.c | 6 ------
> parser/parser_regex.c | 15 ---------------
> parser/parser_yacc.y | 28 ++++------------------------
> 5 files changed, 6 insertions(+), 53 deletions(-)
>
> --- 2.9-test.orig/parser/immunix.h
> +++ 2.9-test/parser/immunix.h
> @@ -56,10 +56,6 @@
>
> #define AA_FILE_PERMS (AA_USER_PERMS | AA_OTHER_PERMS )
>
> -#define AA_USER_PTRACE (1 << 28)
> -#define AA_OTHER_PTRACE (1 << 29)
> -#define AA_PTRACE_PERMS (AA_USER_PTRACE | AA_OTHER_PTRACE)
> -
> #define AA_CHANGE_HAT (1 << 30)
> #define AA_ONEXEC (1 << 30)
> #define AA_CHANGE_PROFILE (1 << 31)
> @@ -81,8 +77,7 @@
> #define AA_EXEC_PROFILE (AA_EXEC_MOD_1)
> #define AA_EXEC_LOCAL (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
>
> -#define AA_VALID_PERMS (AA_FILE_PERMS | AA_PTRACE_PERMS | \
> - AA_OTHER_PERMS)
> +#define AA_VALID_PERMS (AA_FILE_PERMS | AA_OTHER_PERMS)
>
> #define AA_USER_EXEC (AA_MAY_EXEC << AA_USER_SHIFT)
> #define AA_OTHER_EXEC (AA_MAY_EXEC << AA_OTHER_SHIFT)
> --- 2.9-test.orig/parser/parser_alias.c
> +++ 2.9-test/parser/parser_alias.c
> @@ -120,8 +120,7 @@
> len = strlen((*t)->from);
>
> list_for_each(target_list, entry) {
> - if (entry->mode & (AA_SHARED_PERMS & AA_PTRACE_PERMS) ||
> - entry->alias_ignore)
> + if ((entry->mode & AA_SHARED_PERMS) || entry->alias_ignore)
> continue;
> if (entry->name && strncmp((*t)->from, entry->name, len) == 0) {
> char *n = do_alias(*t, entry->name);
> --- 2.9-test.orig/parser/parser_merge.c
> +++ 2.9-test/parser/parser_merge.c
> @@ -65,12 +65,6 @@
> if ((*e1)->deny != (*e2)->deny)
> return (*e1)->deny < (*e2)->deny ? -1 : 1;
>
> - /* rules with ptrace and change_profile can only merge with
> - * rules with exact same perm */
> - if (((*e1)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)) !=
> - ((*e2)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)))
> - return 1;
> -
> return strcmp((*e1)->name, (*e2)->name);
> }
>
> --- 2.9-test.orig/parser/parser_regex.c
> +++ 2.9-test/parser/parser_regex.c
> @@ -493,8 +493,6 @@
> if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
> entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
>
> - /* relying on ptrace and change_profile not getting merged earlier */
> -
> /* the link bit on the first pair entry should not get masked
> * out by a deny rule, as both pieces of the link pair must
> * match. audit info for the link is carried on the second
> @@ -556,19 +554,6 @@
> if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags))
> return FALSE;
> }
> - if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
> - int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
> - if (entry->ns) {
> - const char *vec[2];
> - vec[0] = entry->ns;
> - vec[1] = entry->name;
> - if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, dfaflags))
> - return FALSE;
> - } else {
> - if (!aare_add_rule(dfarules, entry->name, 0, mode, 0, dfaflags))
> - return FALSE;
> - }
> - }
> return TRUE;
> }
>
> --- 2.9-test.orig/parser/parser_yacc.y
> +++ 2.9-test/parser/parser_yacc.y
> @@ -203,7 +203,6 @@
> %type <user_entry> file_rule
> %type <user_entry> file_rule_tail
> %type <user_entry> link_rule
> -%type <user_entry> ptrace_rule
> %type <user_entry> frule
> %type <mnt_entry> mnt_rule
> %type <cond_entry> opt_conds
> @@ -558,9 +557,9 @@
> yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"));
>
> if ($2.owner == 1)
> - $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
> + $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
> else if ($2.owner == 2)
> - $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
> + $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
> /* only set audit ctl quieting if the rule is not audited */
> if (($2.deny && !$2.audit) || (!$2.deny && $2.audit))
> $3->audit = $3->mode & ~ALL_AA_EXEC_TYPE;
> @@ -589,9 +588,9 @@
> yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
> }
> if ($2.owner == 1)
> - entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
> + entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
> else if ($2.owner == 2)
> - entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
> + entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
>
> if ($2.audit && !entry->deny)
> entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;
> @@ -953,7 +952,6 @@
>
> rule: file_rule { $$ = $1; }
> | link_rule { $$ = $1; }
> - | ptrace_rule {$$ = $1; }
>
> opt_unsafe: { /* nothing */ $$ = 0; }
> | TOK_UNSAFE { $$ = 1; };
> @@ -1032,24 +1030,6 @@
> $$ = entry;
> };
>
> -ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
> - {
> - struct cod_entry *entry;
> - entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
> - if (!entry)
> - yyerror(_("Memory allocation error."));
> - $$ = entry;
> - };
> -
> -ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
> - {
> - struct cod_entry *entry;
> - entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
> - if (!entry)
> - yyerror(_("Memory allocation error."));
> - $$ = entry;
> - };
> -
> network_rule: TOK_NETWORK TOK_END_OF_RULE
> {
> size_t family;
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140310/8ea6e274/attachment.pgp>
More information about the AppArmor
mailing list