The ability to set capabilities from a profile has been removed from the kernel for several releases. Remove it from the parser as well.
Signed-off-by: John Johansen <john.johan...@canonical.com> --- parser/parser.h | 1 - parser/parser_interface.c | 7 +++---- parser/parser_misc.c | 2 -- parser/parser_policy.c | 1 - parser/parser_yacc.y | 12 ------------ parser/tst/simple_tests/capability/set/ok1.sd | 2 +- 6 files changed, 4 insertions(+), 21 deletions(-) diff --git a/parser/parser.h b/parser/parser.h index 7d71fd8..ebe0e29 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -112,7 +112,6 @@ struct codomain { uint64_t audit_caps; uint64_t deny_caps; uint64_t quiet_caps; - uint64_t set_caps; unsigned int *network_allowed; /* array of type masks * indexed by AF_FAMILY */ diff --git a/parser/parser_interface.c b/parser/parser_interface.c index cc291a7..6b6d57d 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -609,15 +609,14 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile, #define low_caps(X) ((u32) ((X) & 0xffffffff)) #define high_caps(X) ((u32) (((X) >> 32) & 0xffffffff)) - allowed_caps = (profile->capabilities | profile->set_caps) & - ~profile->deny_caps; + allowed_caps = (profile->capabilities) & ~profile->deny_caps; if (!sd_write32(p, low_caps(allowed_caps))) return 0; if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps))) return 0; if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps))) return 0; - if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps))) + if (!sd_write32(p, 0)) return 0; if (!sd_write_struct(p, "caps64")) @@ -628,7 +627,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile, return 0; if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps))) return 0; - if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps))) + if (!sd_write32(p, 0)) return 0; if (!sd_write_structend(p)) return 0; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index ebaa887..ea77da7 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -912,8 +912,6 @@ void debug_capabilities(struct codomain *cod) __debug_capabilities(cod->deny_caps, "Deny Caps"); if (cod->quiet_caps != 0ull) __debug_capabilities(cod->quiet_caps, "Quiet Caps"); - if (cod->set_caps != 0ull) - __debug_capabilities(cod->set_caps, "Set Capabilities"); } void debug_cod_list(struct codomain *cod) diff --git a/parser/parser_policy.c b/parser/parser_policy.c index 803a620..1d459d9 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -645,7 +645,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b) a->audit_caps |= b->audit_caps; a->deny_caps |= b->deny_caps; a->quiet_caps |= b->quiet_caps; - a->set_caps |= b->set_caps; if (a->network_allowed) { size_t i; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index fff7e23..c331379 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -182,7 +182,6 @@ void add_local_entry(struct codomain *cod); %type <flags> flagval %type <cap> caps %type <cap> capability -%type <cap> set_caps %type <user_entry> change_profile %type <set_var> TOK_SET_VAR %type <bool_var> TOK_BOOL_VAR @@ -674,12 +673,6 @@ rules: rules opt_audit_flag capability $$ = $1; }; -rules: rules set_caps - { - $1->set_caps |= $2; - $$ = $1; - }; - rules: rules hat { PDEBUG("Matched: hat rule\n"); @@ -1050,11 +1043,6 @@ change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID T }; -set_caps: TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE - { - $$ = $3; - }; - capability: TOK_CAPABILITY caps TOK_END_OF_RULE { if ($2 == 0) { diff --git a/parser/tst/simple_tests/capability/set/ok1.sd b/parser/tst/simple_tests/capability/set/ok1.sd index 1bf78fd..eed2470 100644 --- a/parser/tst/simple_tests/capability/set/ok1.sd +++ b/parser/tst/simple_tests/capability/set/ok1.sd @@ -1,6 +1,6 @@ # #=DESCRIPTION validate some uses of capabilties. -#=EXRESULT PASS +#=EXRESULT FAIL # vim:syntax=subdomain # Last Modified: Sun Apr 17 19:44:44 2005 # -- 1.7.9 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor