From ee1a5e6e18b1d59390085cc51dc702e9692f0162 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 14 May 2024 05:02:19 -0700
Subject: [PATCH] parser: enable extended perms if supported by the kernel

Currently use of extended perms are dependent on prompt rules being present
in policy. Switch to using extended perms if they are supported.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/parser_main.c   | 5 ++++-
 parser/parser_regex.c  | 4 ++--
 parser/tst/minimize.sh | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/parser/parser_main.c b/parser/parser_main.c
index 14d05a086..a1c7d9c08 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -1583,7 +1583,10 @@ static bool get_kernel_features(struct aa_features **features)
 	}
 	kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32_version/0x000001");
 	if (kernel_supports_permstable32_v1) {
-		//fprintf(stderr, "kernel supports prompt_v1\n");
+		/* permstabl32 is broken in kernels that only support v1
+		 * so disable it
+		 */
+		kernel_supports_permstable32 = false;
 	}
 
 	/* set default prompt_compat_mode to the best that is supported */
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 3e0c945c1..6250b5d7a 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -791,7 +791,7 @@ int process_profile_regex(Profile *prof)
 		prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
 					&xmatch_len, prof->dfa.perms_table,
 					parseopts, true,
-					prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
+					kernel_supports_permstable32,
 					prof->uses_prompt_rules);
 		delete prof->dfa.rules;
 		prof->dfa.rules = NULL;
@@ -1174,7 +1174,7 @@ int process_profile_policydb(Profile *prof)
 						&xmatch_len,
 						prof->policy.perms_table,
 						parseopts, false,
-						prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
+						kernel_supports_permstable32,
 						prof->uses_prompt_rules);
 		delete prof->policy.rules;
 
diff --git a/parser/tst/minimize.sh b/parser/tst/minimize.sh
index 93bbd17a2..054831fe8 100755
--- a/parser/tst/minimize.sh
+++ b/parser/tst/minimize.sh
@@ -155,7 +155,7 @@ echo "ok"
 ## NOTE: change count from 6 to 7 when extend perms is not dependent on
 ## prompt rules being present
 echo -n "Minimize profiles extended no-filter audit deny perms "
-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 7 ] ; then
     echo "failed"
     exit 1;
 fi