[apparmor] [PATCH 08/13] Remove setting of capabilities from the syntax

John Johansen Tue, 14 Feb 2012 09:33:22 -0800

The ability to set capabilities from a profile has been removed from the
kernel for several releases.  Remove it from the parser as well.


Signed-off-by: John Johansen <john.johan...@canonical.com>
---
 parser/parser.h                               |    1 -
 parser/parser_interface.c                     |    7 +++----
 parser/parser_misc.c                          |    2 --
 parser/parser_policy.c                        |    1 -
 parser/parser_yacc.y                          |   12 ------------
 parser/tst/simple_tests/capability/set/ok1.sd |    2 +-
 6 files changed, 4 insertions(+), 21 deletions(-)

diff --git a/parser/parser.h b/parser/parser.h
index 7d71fd8..ebe0e29 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -112,7 +112,6 @@ struct codomain {
        uint64_t audit_caps;
        uint64_t deny_caps;
        uint64_t quiet_caps;
-       uint64_t set_caps;
 
        unsigned int *network_allowed;          /* array of type masks
                                                 * indexed by AF_FAMILY */
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index cc291a7..6b6d57d 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -609,15 +609,14 @@ int sd_serialize_profile(sd_serialize *p, struct codomain 
*profile,
 
 #define low_caps(X) ((u32) ((X) & 0xffffffff))
 #define high_caps(X) ((u32) (((X) >> 32) & 0xffffffff))
-       allowed_caps = (profile->capabilities | profile->set_caps) &
-               ~profile->deny_caps;
+       allowed_caps = (profile->capabilities) & ~profile->deny_caps;
        if (!sd_write32(p, low_caps(allowed_caps)))
                return 0;
        if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps)))
                return 0;
        if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps)))
                return 0;
-       if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps)))
+       if (!sd_write32(p, 0))
                return 0;
 
        if (!sd_write_struct(p, "caps64"))
@@ -628,7 +627,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain 
*profile,
                return 0;
        if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps)))
                return 0;
-       if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps)))
+       if (!sd_write32(p, 0))
                return 0;
        if (!sd_write_structend(p))
                return 0;
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index ebaa887..ea77da7 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -912,8 +912,6 @@ void debug_capabilities(struct codomain *cod)
                __debug_capabilities(cod->deny_caps, "Deny Caps");
        if (cod->quiet_caps != 0ull)
                __debug_capabilities(cod->quiet_caps, "Quiet Caps");
-       if (cod->set_caps != 0ull)
-               __debug_capabilities(cod->set_caps, "Set Capabilities");
 }
 
 void debug_cod_list(struct codomain *cod)
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 803a620..1d459d9 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -645,7 +645,6 @@ struct codomain *merge_policy(struct codomain *a, struct 
codomain *b)
        a->audit_caps |= b->audit_caps;
        a->deny_caps |= b->deny_caps;
        a->quiet_caps |= b->quiet_caps;
-       a->set_caps |= b->set_caps;
 
        if (a->network_allowed) {
                size_t i;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index fff7e23..c331379 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -182,7 +182,6 @@ void add_local_entry(struct codomain *cod);
 %type <flags>  flagval
 %type <cap>    caps
 %type <cap>    capability
-%type <cap>    set_caps
 %type <user_entry> change_profile
 %type <set_var> TOK_SET_VAR
 %type <bool_var> TOK_BOOL_VAR
@@ -674,12 +673,6 @@ rules:     rules opt_audit_flag capability
                $$ = $1;
        };
 
-rules: rules set_caps
-       {
-               $1->set_caps |= $2;
-               $$ = $1;
-       };
-
 rules: rules hat
        {
                PDEBUG("Matched: hat rule\n");
@@ -1050,11 +1043,6 @@ change_profile:  TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON 
TOK_ID TOK_COLON TOK_ID T
        };
 
 
-set_caps:      TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
-       {
-               $$ = $3;
-       };
-
 capability:    TOK_CAPABILITY caps TOK_END_OF_RULE
        {
                if ($2 == 0) {
diff --git a/parser/tst/simple_tests/capability/set/ok1.sd 
b/parser/tst/simple_tests/capability/set/ok1.sd
index 1bf78fd..eed2470 100644
--- a/parser/tst/simple_tests/capability/set/ok1.sd
+++ b/parser/tst/simple_tests/capability/set/ok1.sd
@@ -1,6 +1,6 @@
 #
 #=DESCRIPTION validate some uses of capabilties.
-#=EXRESULT PASS
+#=EXRESULT FAIL
 # vim:syntax=subdomain
 # Last Modified: Sun Apr 17 19:44:44 2005
 #
-- 
1.7.9


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH 08/13] Remove setting of capabilities from the syntax

Reply via email to