apparmor/parser/libapparmor_re/apparmor_re.h

/*   $Id$
 *
 *   Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.
 *   (All rights reserved)
 *
 *   The libapparmor library is licensed under the terms of the GNU
 *   Lesser General Public License, version 2.1. Please see the file
 *   COPYING.LGPL.
 */

#ifndef APPARMOR_RE_H
#define APPARMOR_RE_H

typedef enum dfaflags {
  DFA_CONTROL_EQUIV =		1 << 0,
  DFA_CONTROL_NO_TREE_NORMAL =	1 << 1,
  DFA_CONTROL_NO_TREE_SIMPLE =	1 << 2,
  DFA_CONTROL_TREE_LEFT =	1 << 3,
  DFA_CONTROL_NO_MINIMIZE =	1 << 4,
  DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
  DFA_CONTROL_MINIMIZE_HASH_PERMS = 1 << 6,
  DFA_CONTROL_NO_UNREACHABLE =	1 << 7,
  DFA_CONTROL_TRANS_HIGH =	1 << 8,

  DFA_DUMP_TREE_STATS =		1 << 16,
  DFA_DUMP_TREE =		1 << 17,
  DFA_DUMP_SIMPLE_TREE =	1 << 18,
  DFA_DUMP_PROGRESS =		1 << 19,
  DFA_DUMP_STATS =		1 << 20,
  DFA_DUMP_STATES =		1 << 21,
  DFA_DUMP_GRAPH =		1 << 22,
  DFA_DUMP_TRANS_PROGRESS =	1 << 23,
  DFA_DUMP_TRANS_STATS =	1 << 24,
  DFA_DUMP_TRANS_TABLE =	1 << 25,
  DFA_DUMP_EQUIV =		1 << 26,
  DFA_DUMP_EQUIV_STATS =	1 << 27,
  DFA_DUMP_MINIMIZE =		1 << 28,
  DFA_DUMP_UNREACHABLE =	1 << 29,
  DFA_DUMP_RULE_EXPR =		1 << 30,
} dfaflags_t;

#ifdef __cplusplus
extern "C" {
#endif

struct aare_ruleset;

typedef struct aare_ruleset aare_ruleset_t;

aare_ruleset_t *aare_new_ruleset(int reverse);
void aare_delete_ruleset(aare_ruleset_t *rules);
int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
		  uint32_t perms, uint32_t audit, dfaflags_t flags);
int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
		      uint32_t audit, int count, char **rulev, dfaflags_t flags);
void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
void aare_reset_matchflags(void);

#ifdef __cplusplus
}
#endif

#endif /* APPARMOR_RE_H */
clear remaining $Id$ tags, since bzr does not suppor them 2009-11-11 10:44:26 -08:00			`/* $Id$`
update copyright dates 2007-04-11 08:12:51 +00:00			`*`
			`* Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.`
			`* (All rights reserved)`
			`*`
			`* The libapparmor library is licensed under the terms of the GNU`
			`* Lesser General Public License, version 2.1. Please see the file`
			`* COPYING.LGPL.`
			`*/`
Add dfa support to the parser 2007-02-27 02:29:16 +00:00
			`#ifndef APPARMOR_RE_H`
			`#define APPARMOR_RE_H`

Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`typedef enum dfaflags {`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`DFA_CONTROL_EQUIV = 1 << 0,`
			`DFA_CONTROL_NO_TREE_NORMAL = 1 << 1,`
			`DFA_CONTROL_NO_TREE_SIMPLE = 1 << 2,`
			`DFA_CONTROL_TREE_LEFT = 1 << 3,`
Dfa minimization and unreachable state removal Add basic Hopcroft based dfa minimization. It currently does a simple straight state comparison that can be quadratic in time to split partitions. This is offset however by using hashing to setup the initial partitions so that the number of states within a partition are relative few. The hashing of states for initial partition setup is linear in time. This means the closer the initial partition set is to the final set, the closer the algorithm is to completing in a linear time. The hashing works as follows: For each state we know the number of transitions that are not the default transition. For each of of these we hash the set of letters it can transition on using a simple djb2 hash algorithm. This creates a unique hash based on the number of transitions and the input it can transition on. If a state does not have the same hash we know it can not the same as another because it either has a different number of transitions or or transitions on a different set. To further distiguish states, the number of transitions of each transitions target state are added into the hash. This serves to further distiguish states as a transition to a state with a different number of transitions can not possibly be reduced to an equivalent state. A further distinction of states is made for accepting states in that we know each state with a unique set of accept permissions must be in its own partition to ensure the unique accept permissions are in the final dfa. The unreachable state removal is a basic walk of the dfa from the start state marking all states that are reached. It then sweeps any state not reached away. This does not do dead state removal where a non accepting state gets into a loop that will never result in an accepting state. 2010-01-20 03:32:34 -08:00			`DFA_CONTROL_NO_MINIMIZE = 1 << 4,`
Split dfa minimizing hashing into two seperately controllable hashes. The first hash does hashing on state just state transitions, which always results in a performance improvement. The second does hashing based off of accept permissions, which can create more initial states but can result in not being able to achieve a true minimum dfa. This can also lead to slowing down total dfa creation because while minimization, compression can take longer if the dfa isn't completely minimized. permission hashing is currently required, as minimization does not accumulate redundant Node permissions. 2010-11-09 11:22:54 -08:00			`DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,`
			`DFA_CONTROL_MINIMIZE_HASH_PERMS = 1 << 6,`
			`DFA_CONTROL_NO_UNREACHABLE = 1 << 7,`
			`DFA_CONTROL_TRANS_HIGH = 1 << 8,`

			`DFA_DUMP_TREE_STATS = 1 << 16,`
			`DFA_DUMP_TREE = 1 << 17,`
			`DFA_DUMP_SIMPLE_TREE = 1 << 18,`
			`DFA_DUMP_PROGRESS = 1 << 19,`
			`DFA_DUMP_STATS = 1 << 20,`
			`DFA_DUMP_STATES = 1 << 21,`
			`DFA_DUMP_GRAPH = 1 << 22,`
			`DFA_DUMP_TRANS_PROGRESS = 1 << 23,`
			`DFA_DUMP_TRANS_STATS = 1 << 24,`
			`DFA_DUMP_TRANS_TABLE = 1 << 25,`
			`DFA_DUMP_EQUIV = 1 << 26,`
			`DFA_DUMP_EQUIV_STATS = 1 << 27,`
			`DFA_DUMP_MINIMIZE = 1 << 28,`
			`DFA_DUMP_UNREACHABLE = 1 << 29,`
			`DFA_DUMP_RULE_EXPR = 1 << 30,`
Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`} dfaflags_t;`

Add dfa support to the parser 2007-02-27 02:29:16 +00:00			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif`

			`struct aare_ruleset;`

			`typedef struct aare_ruleset aare_ruleset_t;`

			`aare_ruleset_t *aare_new_ruleset(int reverse);`
			`void aare_delete_ruleset(aare_ruleset_t *rules);`
Update the parse to emit a 0 to seperate pairs in the dfa. This was always the intended behavior and fixes a bug where the dfa will match change profile rules using // seperator. 2008-03-13 16:46:19 +00:00			`int aare_add_rule(aare_ruleset_t rules, char rule, int deny,`
This adds a basic debug dump for the conversion of each rule in a profile to its expression tree. It is limited in that it doesn't currently handle the permissions of a rule. conversion output presents an aare -> prce conversion followed by 1 or more expression tree rules, governed by what the rule does. eg. aare: /** -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* eg. echo "/foo { / rwlkmix, } " \| ./apparmor_parser -QT -D rule-exprs -D expr-tree aare: /foo -> /foo aare: / -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* rule: /[^/\x00][^\x00]\x00/[^/]. -> /[^\0000/]([^\0000])\0000/[^/](.) DFA: Expression Tree (/[^\0000/]([^\0000])(((((((((((((<513>\|<2>)\|<4>)\|<8>)\|<16>)\|<32>)\|<64>)\|<8404992>)\|<32768>)\|<65536>)\|<131072>)\|<262144>)\|<524288>)\|<1048576>)\|/[^\0000/]([^\0000])\0000/[^/](.)((<16>\|<32>)\|<262144>)) This simple example shows many things 1. The profile name under goes pcre conversion. But since no regular expressions where found it doesn't generate any expr rules 2. /* is converted into the pcre expression /[^\0000/]([^\0000])* 3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then converted into expression trees. The reason for this can not be seen by the output as this is actually triggered by permissions separation for the rule. In this case the link permission is separated into what is shown as the second rule: statement. 4. DFA: Expression Tree dump shows how these rules are combined together You will notice that the rule conversion statement is fairly redundant currently as it just show pcre to expression tree pcre. This will change when direct aare parsing occurs, but currently serves to verify the pcre conversion step. It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion from an aare straight to the expression tree, and dfaflag passing will become part of the rule set. 2010-07-23 13:29:35 +02:00			`uint32_t perms, uint32_t audit, dfaflags_t flags);`
Update the parse to emit a 0 to seperate pairs in the dfa. This was always the intended behavior and fixes a bug where the dfa will match change profile rules using // seperator. 2008-03-13 16:46:19 +00:00			`int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,`
This adds a basic debug dump for the conversion of each rule in a profile to its expression tree. It is limited in that it doesn't currently handle the permissions of a rule. conversion output presents an aare -> prce conversion followed by 1 or more expression tree rules, governed by what the rule does. eg. aare: /** -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* eg. echo "/foo { / rwlkmix, } " \| ./apparmor_parser -QT -D rule-exprs -D expr-tree aare: /foo -> /foo aare: / -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* rule: /[^/\x00][^\x00]\x00/[^/]. -> /[^\0000/]([^\0000])\0000/[^/](.) DFA: Expression Tree (/[^\0000/]([^\0000])(((((((((((((<513>\|<2>)\|<4>)\|<8>)\|<16>)\|<32>)\|<64>)\|<8404992>)\|<32768>)\|<65536>)\|<131072>)\|<262144>)\|<524288>)\|<1048576>)\|/[^\0000/]([^\0000])\0000/[^/](.)((<16>\|<32>)\|<262144>)) This simple example shows many things 1. The profile name under goes pcre conversion. But since no regular expressions where found it doesn't generate any expr rules 2. /* is converted into the pcre expression /[^\0000/]([^\0000])* 3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then converted into expression trees. The reason for this can not be seen by the output as this is actually triggered by permissions separation for the rule. In this case the link permission is separated into what is shown as the second rule: statement. 4. DFA: Expression Tree dump shows how these rules are combined together You will notice that the rule conversion statement is fairly redundant currently as it just show pcre to expression tree pcre. This will change when direct aare parsing occurs, but currently serves to verify the pcre conversion step. It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion from an aare straight to the expression tree, and dfaflag passing will become part of the rule set. 2010-07-23 13:29:35 +02:00			`uint32_t audit, int count, char **rulev, dfaflags_t flags);`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`void aare_create_dfa(aare_ruleset_t rules, size_t *size, dfaflags_t flags);`
add aare_reset_matchflags() to reset match flags Signed-Off-By: Kees Cook <kees.cook@canonical.com> 2009-07-24 07:33:09 +00:00			`void aare_reset_matchflags(void);`
Add dfa support to the parser 2007-02-27 02:29:16 +00:00
			`#ifdef __cplusplus`
			`}`
			`#endif`

			`#endif /* APPARMOR_RE_H */`