Re: [apparmor] [patch 01/24] Remove the old unused ptrace code that snuck in years ago.

[Seth Arnold]

On Fri, Mar 07, 2014 at 09:31:22AM -0800, john.johan...@canonical.com wrote:
> It was never used, never supported, and we are doing it differently now.
> 
> Signed-off-by: John Johansen <john.johan...@canonical.com>

Acked-by: Seth Arnold <seth.arn...@canonical.com>

Thanks

> 
> ---
>  parser/immunix.h      |    7 +------
>  parser/parser_alias.c |    3 +--
>  parser/parser_merge.c |    6 ------
>  parser/parser_regex.c |   15 ---------------
>  parser/parser_yacc.y  |   28 ++++------------------------
>  5 files changed, 6 insertions(+), 53 deletions(-)
> 
> --- 2.9-test.orig/parser/immunix.h
> +++ 2.9-test/parser/immunix.h
> @@ -56,10 +56,6 @@
>  
>  #define AA_FILE_PERMS                        (AA_USER_PERMS | AA_OTHER_PERMS 
> )
>  
> -#define AA_USER_PTRACE                       (1 << 28)
> -#define AA_OTHER_PTRACE                      (1 << 29)
> -#define AA_PTRACE_PERMS                      (AA_USER_PTRACE | 
> AA_OTHER_PTRACE)
> -
>  #define AA_CHANGE_HAT                        (1 << 30)
>  #define AA_ONEXEC                    (1 << 30)
>  #define AA_CHANGE_PROFILE            (1 << 31)
> @@ -81,8 +77,7 @@
>  #define AA_EXEC_PROFILE                      (AA_EXEC_MOD_1)
>  #define AA_EXEC_LOCAL                        (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
>  
> -#define AA_VALID_PERMS                       (AA_FILE_PERMS | 
> AA_PTRACE_PERMS | \
> -                                      AA_OTHER_PERMS)
> +#define AA_VALID_PERMS                       (AA_FILE_PERMS | AA_OTHER_PERMS)
>  
>  #define AA_USER_EXEC                 (AA_MAY_EXEC << AA_USER_SHIFT)
>  #define AA_OTHER_EXEC                        (AA_MAY_EXEC << AA_OTHER_SHIFT)
> --- 2.9-test.orig/parser/parser_alias.c
> +++ 2.9-test/parser/parser_alias.c
> @@ -120,8 +120,7 @@
>       len = strlen((*t)->from);
>  
>       list_for_each(target_list, entry) {
> -             if (entry->mode & (AA_SHARED_PERMS & AA_PTRACE_PERMS) ||
> -                 entry->alias_ignore)
> +             if ((entry->mode & AA_SHARED_PERMS) || entry->alias_ignore)
>                       continue;
>               if (entry->name && strncmp((*t)->from, entry->name, len) == 0) {
>                       char *n = do_alias(*t, entry->name);
> --- 2.9-test.orig/parser/parser_merge.c
> +++ 2.9-test/parser/parser_merge.c
> @@ -65,12 +65,6 @@
>       if ((*e1)->deny != (*e2)->deny)
>               return (*e1)->deny < (*e2)->deny ? -1 : 1;
>  
> -     /* rules with ptrace and change_profile can only merge with
> -      * rules with exact same perm */
> -     if (((*e1)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)) !=
> -         ((*e2)->mode & (AA_CHANGE_PROFILE | AA_PTRACE_PERMS)))
> -             return 1;
> -
>       return strcmp((*e1)->name, (*e2)->name);
>  }
>  
> --- 2.9-test.orig/parser/parser_regex.c
> +++ 2.9-test/parser/parser_regex.c
> @@ -493,8 +493,6 @@
>       if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
>               entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
>  
> -     /* relying on ptrace and change_profile not getting merged earlier */
> -
>       /* the link bit on the first pair entry should not get masked
>        * out by a deny rule, as both pieces of the link pair must
>        * match.  audit info for the link is carried on the second
> @@ -556,19 +554,6 @@
>               if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, 
> dfaflags))
>                       return FALSE;
>       }
> -     if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
> -             int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
> -             if (entry->ns) {
> -                     const char *vec[2];
> -                     vec[0] = entry->ns;
> -                     vec[1] = entry->name;
> -                     if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, 
> dfaflags))
> -                         return FALSE;
> -             } else {
> -               if (!aare_add_rule(dfarules, entry->name, 0, mode, 0, 
> dfaflags))
> -                             return FALSE;
> -             }
> -     }
>       return TRUE;
>  }
>  
> --- 2.9-test.orig/parser/parser_yacc.y
> +++ 2.9-test/parser/parser_yacc.y
> @@ -203,7 +203,6 @@
>  %type <user_entry> file_rule
>  %type <user_entry> file_rule_tail
>  %type <user_entry> link_rule
> -%type <user_entry> ptrace_rule
>  %type <user_entry> frule
>  %type <mnt_entry> mnt_rule
>  %type <cond_entry> opt_conds
> @@ -558,9 +557,9 @@
>                       yyerror(_("Invalid mode, 'x' must be preceded by exec 
> qualifier 'i', 'p', 'c', or 'u'"));
>  
>               if ($2.owner == 1)
> -                     $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | 
> AA_USER_PTRACE);
> +                     $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
>               else if ($2.owner == 2)
> -                     $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | 
> AA_OTHER_PTRACE);
> +                     $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
>               /* only set audit ctl quieting if the rule is not audited */
>               if (($2.deny && !$2.audit) || (!$2.deny && $2.audit))
>                       $3->audit = $3->mode & ~ALL_AA_EXEC_TYPE;
> @@ -589,9 +588,9 @@
>                                       yyerror(_("Invalid mode, 'x' must be 
> preceded by exec qualifier 'i', 'p', or 'u'"));
>                       }
>                       if ($2.owner == 1)
> -                             entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS 
> | AA_USER_PTRACE);
> +                             entry->mode &= (AA_USER_PERMS | 
> AA_SHARED_PERMS);
>                       else if ($2.owner == 2)
> -                             entry->mode &= (AA_OTHER_PERMS | 
> AA_SHARED_PERMS | AA_OTHER_PTRACE);
> +                             entry->mode &= (AA_OTHER_PERMS | 
> AA_SHARED_PERMS);
>  
>                       if ($2.audit && !entry->deny)
>                               entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;
> @@ -953,7 +952,6 @@
>  
>  rule: file_rule { $$ = $1; }
>       | link_rule { $$ = $1; }
> -     | ptrace_rule {$$ = $1; }
>  
>  opt_unsafe: { /* nothing */ $$ = 0; }
>       | TOK_UNSAFE { $$ = 1; };
> @@ -1032,24 +1030,6 @@
>               $$ = entry;
>       };
>  
> -ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
> -     {
> -             struct cod_entry *entry;
> -             entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, 
> NULL);
> -             if (!entry)
> -                     yyerror(_("Memory allocation error."));
> -             $$ = entry;
> -     };
> -
> -ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
> -     {
> -             struct cod_entry *entry;
> -             entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, 
> NULL);
> -             if (!entry)
> -                     yyerror(_("Memory allocation error."));
> -             $$ = entry;
> -     };
> -
>  network_rule: TOK_NETWORK TOK_END_OF_RULE
>       {
>               size_t family;
> 
> 
> -- 
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor
> 

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor