Remove the old unused ptrace code that snuck in years ago. It was never used, never supported, and we are doing it differently now.
Signed-off-by: John Johansen <[email protected]> --- parser/immunix.h | 7 +------ parser/parser_alias.c | 3 +-- parser/parser_merge.c | 6 ------ parser/parser_regex.c | 15 --------------- parser/parser_yacc.y | 28 ++++------------------------ 5 files changed, 6 insertions(+), 53 deletions(-) --- 2.9-test.orig/parser/immunix.h +++ 2.9-test/parser/immunix.h @@ -56,10 +56,6 @@ #define AA_FILE_PERMS (AA_USER_PERMS | AA_OTHER_PERMS ) -#define AA_USER_PTRACE (1 << 28) -#define AA_OTHER_PTRACE (1 << 29) -#define AA_PTRACE_PERMS (AA_USER_PTRACE | AA_OTHER_PTRACE) - #define AA_CHANGE_HAT (1 << 30) #define AA_ONEXEC (1 << 30) #define AA_CHANGE_PROFILE (1 << 31) @@ -81,8 +77,7 @@ #define AA_EXEC_PROFILE (AA_EXEC_MOD_1) #define AA_EXEC_LOCAL (AA_EXEC_MOD_0 | AA_EXEC_MOD_1) -#define AA_VALID_PERMS (AA_FILE_PERMS | AA_PTRACE_PERMS | \ - AA_OTHER_PERMS) +#define AA_VALID_PERMS (AA_FILE_PERMS | AA_OTHER_PERMS) #define AA_USER_EXEC (AA_MAY_EXEC << AA_USER_SHIFT) #define AA_OTHER_EXEC (AA_MAY_EXEC << AA_OTHER_SHIFT) --- 2.9-test.orig/parser/parser_alias.c +++ 2.9-test/parser/parser_alias.c @@ -120,8 +120,7 @@ len = strlen((*t)->from); list_for_each(target_list, entry) { - if (entry->mode & (AA_SHARED_PERMS & AA_PTRACE_PERMS) || - entry->alias_ignore) + if ((entry->mode & AA_SHARED_PERMS) || entry->alias_ignore) continue; if (entry->name && strncmp((*t)->from, entry->name, len) == 0) { char *n = do_alias(*t, entry->name); --- 2.9-test.orig/parser/parser_merge.c +++ 2.9-test/parser/parser_merge.c @@ -65,12 +65,6 @@ if ((*e1)->deny != (*e2)->deny) return (*e1)->deny < (*e2)->deny ? -1 : 1; - /* rules with ptrace and change_profile can only merge with - * rules with exact same perm */ - if (((*e1)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)) != - ((*e2)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS))) - return 1; - return strcmp((*e1)->name, (*e2)->name); } --- 2.9-test.orig/parser/parser_regex.c +++ 2.9-test/parser/parser_regex.c @@ -493,8 +493,6 @@ if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT) entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT; - /* relying on ptrace and change_profile not getting merged earlier */ - /* the link bit on the first pair entry should not get masked * out by a deny rule, as both pieces of the link pair must * match. audit info for the link is carried on the second @@ -556,19 +554,6 @@ if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags)) return FALSE; } - if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) { - int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE); - if (entry->ns) { - const char *vec[2]; - vec[0] = entry->ns; - vec[1] = entry->name; - if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, dfaflags)) - return FALSE; - } else { - if (!aare_add_rule(dfarules, entry->name, 0, mode, 0, dfaflags)) - return FALSE; - } - } return TRUE; } --- 2.9-test.orig/parser/parser_yacc.y +++ 2.9-test/parser/parser_yacc.y @@ -203,7 +203,6 @@ %type <user_entry> file_rule %type <user_entry> file_rule_tail %type <user_entry> link_rule -%type <user_entry> ptrace_rule %type <user_entry> frule %type <mnt_entry> mnt_rule %type <cond_entry> opt_conds @@ -558,9 +557,9 @@ yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'")); if ($2.owner == 1) - $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE); + $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS); else if ($2.owner == 2) - $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE); + $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS); /* only set audit ctl quieting if the rule is not audited */ if (($2.deny && !$2.audit) || (!$2.deny && $2.audit)) $3->audit = $3->mode & ~ALL_AA_EXEC_TYPE; @@ -589,9 +588,9 @@ yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'")); } if ($2.owner == 1) - entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE); + entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS); else if ($2.owner == 2) - entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE); + entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS); if ($2.audit && !entry->deny) entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE; @@ -953,7 +952,6 @@ rule: file_rule { $$ = $1; } | link_rule { $$ = $1; } - | ptrace_rule {$$ = $1; } opt_unsafe: { /* nothing */ $$ = 0; } | TOK_UNSAFE { $$ = 1; }; @@ -1032,24 +1030,6 @@ $$ = entry; }; -ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE - { - struct cod_entry *entry; - entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL); - if (!entry) - yyerror(_("Memory allocation error.")); - $$ = entry; - }; - -ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE - { - struct cod_entry *entry; - entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL); - if (!entry) - yyerror(_("Memory allocation error.")); - $$ = entry; - }; - network_rule: TOK_NETWORK TOK_END_OF_RULE { size_t family; -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
