remove support for change_hat 1.4

change_hat 1.4 was an experiement is more directly controlling change_hat
by adding hat rulles to the profile. It has not been used since the
original experiment (4 years).  So remove it

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

parser/parser.h

@@ -217,9 +217,6 @@ struct var_string {
 
 #define BOOL int
 
-#define FLAG_CHANGEHAT_1_4  2
-#define FLAG_CHANGEHAT_1_5  3
-
 extern int preprocess_only;
 
 #define PATH_CHROOT_REL 0x1
@@ -283,7 +280,6 @@ extern int net_af_max_override;
 extern int kernel_load;
 extern int kernel_supports_network;
 extern int kernel_supports_mount;
-extern int flag_changehat_version;
 extern int conf_verbose;
 extern int conf_quiet;
 extern int names_only;

parser/parser_common.c

@@ -27,7 +27,6 @@ int net_af_max_override = -1;           /* use kernel to determine af_max */
 int kernel_load = 1;
 int kernel_supports_network = 1;        /* kernel supports network rules */
 int kernel_supports_mount = 0;	        /* kernel supports mount rules */
-int flag_changehat_version = FLAG_CHANGEHAT_1_5;
 int conf_verbose = 0;
 int conf_quiet = 0;
 int names_only = 0;

parser/parser_main.c

@@ -854,13 +854,6 @@ static void get_flags_string(char **flags, char *flags_file) {
 	(*flags)[size] = 0;
 
 	fclose(f);
-	pos = strstr(*flags, "change_hat=");
-	if (pos) {
-		if (strncmp(pos, "change_hat=1.4", 14) == 0)
-			flag_changehat_version = FLAG_CHANGEHAT_1_4;
-//fprintf(stderr, "flags string: %s\n", flags_string);
-//fprintf(stderr, "changehat %d\n", flag_changehat_version);
-	}
 	return;
 
 fail:

parser/parser_policy.c

@@ -397,28 +397,6 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
 	if ((*t)->local)
 		return;
 
-	/* add rule to grant permission to change_hat
-	 * An opensuse 11.0, AA 2.3 requirement,
-	 * rules are added to the parent of the hat
-	 */
-	if ((flag_changehat_version == FLAG_CHANGEHAT_1_4) &&
-	    (*t)->parent) {
-		char *buffer = (char *) malloc(strlen((*t)->name) + 1);
-		if (!buffer) {
-			PERROR("Memory allocation error\n");
-			exit(1);
-		}
-
-		strcpy(buffer, (*t)->name);
-
-		entry = new_entry(NULL, buffer, AA_CHANGE_HAT, NULL);
-		if (!entry) {
-			PERROR("Memory allocation error\n");
-			exit(1);
-		}
-		add_entry_to_policy((*t)->parent, entry);
-	}
-
 	entry = new_entry(NULL, strdup(CHANGEHAT_PATH), AA_MAY_WRITE, NULL);
 	if (!entry) {
 		PERROR(_("ERROR adding hat access rule for profile %s\n"),
@@ -430,56 +408,10 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
 	twalk((*t)->hat_table, __add_hat_rules_parent);
 }
 
-/* Deprecated: used to support changehat rules of AppArmor 2.3
- * add the same hat rules to the hats as the parent so that hats can
- * change to sibling hats
- */
-static void __add_hat_rules_hats(const void *nodep, const VISIT value,
-				 const int __unused depth)
-{
-	struct codomain **t = (struct codomain **) nodep;
-
-	if (value == preorder || value == endorder)
-		return;
-
-	/* don't add hat rules if a parent profile with no hats */
-	if (!(*t)->hat_table && !(*t)->parent)
-		return;
-
-	/* don't add hat rules for local_profiles */
-	if ((*t)->local)
-		return;
-
-	/* hat */
-	if ((*t)->parent) {
-		struct cod_entry *entry, *new_ent;
-		list_for_each((*t)->parent->entries, entry) {
-			if (entry->mode & AA_CHANGE_HAT) {
-				char *buffer = strdup(entry->name);
-				if (!buffer) {
-					PERROR("Memory allocation error\n");
-					exit(1);
-				}
-				new_ent = new_entry(NULL, buffer,
-						    AA_CHANGE_HAT, NULL);
-				if (!entry) {
-					PERROR("Memory allocation error\n");
-					exit(1);
-				}
-				add_entry_to_policy((*t), new_ent);
-			}
-		}
-         }
-         twalk((*t)->hat_table, __add_hat_rules_hats);
-}
-
 static int add_hat_rules(void)
 {
 	twalk(policy_list, __add_hat_rules_parent);
 
-	/* support hat rules of AppArmor 2.3 in opensuse 11.0 */
-	if (flag_changehat_version == FLAG_CHANGEHAT_1_4)
-		twalk(policy_list, __add_hat_rules_hats);
 	return 0;
 }