apparmor/parser/libapparmor_re/apparmor_re.h

/*   $Id$
 *
 *   Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.
 *   (All rights reserved)
 *
 *   The libapparmor library is licensed under the terms of the GNU
 *   Lesser General Public License, version 2.1. Please see the file
 *   COPYING.LGPL.
 */

#ifndef APPARMOR_RE_H
#define APPARMOR_RE_H

typedef enum dfaflags {
  DFA_CONTROL_EQUIV =		1 << 0,
  DFA_CONTROL_TREE_NORMAL =	1 << 1,
  DFA_CONTROL_TREE_SIMPLE =	1 << 2,
  DFA_CONTROL_TREE_LEFT =	1 << 3,
  DFA_CONTROL_MINIMIZE =	1 << 4,
  DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
  DFA_CONTROL_MINIMIZE_HASH_PERMS = 1 << 6,
  DFA_CONTROL_REMOVE_UNREACHABLE =	1 << 7,
  DFA_CONTROL_TRANS_HIGH =	1 << 8,

  DFA_DUMP_TREE_STATS =		1 << 16,
  DFA_DUMP_TREE =		1 << 17,
  DFA_DUMP_SIMPLE_TREE =	1 << 18,
  DFA_DUMP_PROGRESS =		1 << 19,
  DFA_DUMP_STATS =		1 << 20,
  DFA_DUMP_STATES =		1 << 21,
  DFA_DUMP_GRAPH =		1 << 22,
  DFA_DUMP_TRANS_PROGRESS =	1 << 23,
  DFA_DUMP_TRANS_STATS =	1 << 24,
  DFA_DUMP_TRANS_TABLE =	1 << 25,
  DFA_DUMP_EQUIV =		1 << 26,
  DFA_DUMP_EQUIV_STATS =	1 << 27,
  DFA_DUMP_MINIMIZE =		1 << 28,
  DFA_DUMP_UNREACHABLE =	1 << 29,
  DFA_DUMP_RULE_EXPR =		1 << 30,
} dfaflags_t;

#ifdef __cplusplus
extern "C" {
#endif

struct aare_ruleset;

typedef struct aare_ruleset aare_ruleset_t;

aare_ruleset_t *aare_new_ruleset(int reverse);
void aare_delete_ruleset(aare_ruleset_t *rules);
int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
		  uint32_t perms, uint32_t audit, dfaflags_t flags);
int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
		      uint32_t audit, int count, char **rulev, dfaflags_t flags);
void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
void aare_reset_matchflags(void);

#ifdef __cplusplus
}
#endif

#endif /* APPARMOR_RE_H */
clear remaining $Id$ tags, since bzr does not suppor them 2009-11-11 10:44:26 -08:00			`/* $Id$`
update copyright dates 2007-04-11 08:12:51 +00:00			`*`
			`* Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.`
			`* (All rights reserved)`
			`*`
			`* The libapparmor library is licensed under the terms of the GNU`
			`* Lesser General Public License, version 2.1. Please see the file`
			`* COPYING.LGPL.`
			`*/`
Add dfa support to the parser 2007-02-27 02:29:16 +00:00
			`#ifndef APPARMOR_RE_H`
			`#define APPARMOR_RE_H`

Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`typedef enum dfaflags {`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`DFA_CONTROL_EQUIV = 1 << 0,`
The dfa flags currently are a weird mix of position and negative assertions. Its cleaner just to have them all assert one way and let the cmd line options apply them correctly. 2010-11-09 11:23:45 -08:00			`DFA_CONTROL_TREE_NORMAL = 1 << 1,`
			`DFA_CONTROL_TREE_SIMPLE = 1 << 2,`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`DFA_CONTROL_TREE_LEFT = 1 << 3,`
The dfa flags currently are a weird mix of position and negative assertions. Its cleaner just to have them all assert one way and let the cmd line options apply them correctly. 2010-11-09 11:23:45 -08:00			`DFA_CONTROL_MINIMIZE = 1 << 4,`
Split dfa minimizing hashing into two seperately controllable hashes. The first hash does hashing on state just state transitions, which always results in a performance improvement. The second does hashing based off of accept permissions, which can create more initial states but can result in not being able to achieve a true minimum dfa. This can also lead to slowing down total dfa creation because while minimization, compression can take longer if the dfa isn't completely minimized. permission hashing is currently required, as minimization does not accumulate redundant Node permissions. 2010-11-09 11:22:54 -08:00			`DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,`
			`DFA_CONTROL_MINIMIZE_HASH_PERMS = 1 << 6,`
The dfa flags currently are a weird mix of position and negative assertions. Its cleaner just to have them all assert one way and let the cmd line options apply them correctly. 2010-11-09 11:23:45 -08:00			`DFA_CONTROL_REMOVE_UNREACHABLE = 1 << 7,`
Split dfa minimizing hashing into two seperately controllable hashes. The first hash does hashing on state just state transitions, which always results in a performance improvement. The second does hashing based off of accept permissions, which can create more initial states but can result in not being able to achieve a true minimum dfa. This can also lead to slowing down total dfa creation because while minimization, compression can take longer if the dfa isn't completely minimized. permission hashing is currently required, as minimization does not accumulate redundant Node permissions. 2010-11-09 11:22:54 -08:00			`DFA_CONTROL_TRANS_HIGH = 1 << 8,`

			`DFA_DUMP_TREE_STATS = 1 << 16,`
			`DFA_DUMP_TREE = 1 << 17,`
			`DFA_DUMP_SIMPLE_TREE = 1 << 18,`
			`DFA_DUMP_PROGRESS = 1 << 19,`
			`DFA_DUMP_STATS = 1 << 20,`
			`DFA_DUMP_STATES = 1 << 21,`
			`DFA_DUMP_GRAPH = 1 << 22,`
			`DFA_DUMP_TRANS_PROGRESS = 1 << 23,`
			`DFA_DUMP_TRANS_STATS = 1 << 24,`
			`DFA_DUMP_TRANS_TABLE = 1 << 25,`
			`DFA_DUMP_EQUIV = 1 << 26,`
			`DFA_DUMP_EQUIV_STATS = 1 << 27,`
			`DFA_DUMP_MINIMIZE = 1 << 28,`
			`DFA_DUMP_UNREACHABLE = 1 << 29,`
			`DFA_DUMP_RULE_EXPR = 1 << 30,`
Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`} dfaflags_t;`

Add dfa support to the parser 2007-02-27 02:29:16 +00:00			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif`

			`struct aare_ruleset;`

			`typedef struct aare_ruleset aare_ruleset_t;`

			`aare_ruleset_t *aare_new_ruleset(int reverse);`
			`void aare_delete_ruleset(aare_ruleset_t *rules);`
Update the parse to emit a 0 to seperate pairs in the dfa. This was always the intended behavior and fixes a bug where the dfa will match change profile rules using // seperator. 2008-03-13 16:46:19 +00:00			`int aare_add_rule(aare_ruleset_t rules, char rule, int deny,`
This adds a basic debug dump for the conversion of each rule in a profile to its expression tree. It is limited in that it doesn't currently handle the permissions of a rule. conversion output presents an aare -> prce conversion followed by 1 or more expression tree rules, governed by what the rule does. eg. aare: /** -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* eg. echo "/foo { / rwlkmix, } " \| ./apparmor_parser -QT -D rule-exprs -D expr-tree aare: /foo -> /foo aare: / -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* rule: /[^/\x00][^\x00]\x00/[^/]. -> /[^\0000/]([^\0000])\0000/[^/](.) DFA: Expression Tree (/[^\0000/]([^\0000])(((((((((((((<513>\|<2>)\|<4>)\|<8>)\|<16>)\|<32>)\|<64>)\|<8404992>)\|<32768>)\|<65536>)\|<131072>)\|<262144>)\|<524288>)\|<1048576>)\|/[^\0000/]([^\0000])\0000/[^/](.)((<16>\|<32>)\|<262144>)) This simple example shows many things 1. The profile name under goes pcre conversion. But since no regular expressions where found it doesn't generate any expr rules 2. /* is converted into the pcre expression /[^\0000/]([^\0000])* 3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then converted into expression trees. The reason for this can not be seen by the output as this is actually triggered by permissions separation for the rule. In this case the link permission is separated into what is shown as the second rule: statement. 4. DFA: Expression Tree dump shows how these rules are combined together You will notice that the rule conversion statement is fairly redundant currently as it just show pcre to expression tree pcre. This will change when direct aare parsing occurs, but currently serves to verify the pcre conversion step. It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion from an aare straight to the expression tree, and dfaflag passing will become part of the rule set. 2010-07-23 13:29:35 +02:00			`uint32_t perms, uint32_t audit, dfaflags_t flags);`
Update the parse to emit a 0 to seperate pairs in the dfa. This was always the intended behavior and fixes a bug where the dfa will match change profile rules using // seperator. 2008-03-13 16:46:19 +00:00			`int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,`
This adds a basic debug dump for the conversion of each rule in a profile to its expression tree. It is limited in that it doesn't currently handle the permissions of a rule. conversion output presents an aare -> prce conversion followed by 1 or more expression tree rules, governed by what the rule does. eg. aare: /** -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* eg. echo "/foo { / rwlkmix, } " \| ./apparmor_parser -QT -D rule-exprs -D expr-tree aare: /foo -> /foo aare: / -> /[^/\x00][^\x00]* rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])* rule: /[^/\x00][^\x00]\x00/[^/]. -> /[^\0000/]([^\0000])\0000/[^/](.) DFA: Expression Tree (/[^\0000/]([^\0000])(((((((((((((<513>\|<2>)\|<4>)\|<8>)\|<16>)\|<32>)\|<64>)\|<8404992>)\|<32768>)\|<65536>)\|<131072>)\|<262144>)\|<524288>)\|<1048576>)\|/[^\0000/]([^\0000])\0000/[^/](.)((<16>\|<32>)\|<262144>)) This simple example shows many things 1. The profile name under goes pcre conversion. But since no regular expressions where found it doesn't generate any expr rules 2. /* is converted into the pcre expression /[^\0000/]([^\0000])* 3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then converted into expression trees. The reason for this can not be seen by the output as this is actually triggered by permissions separation for the rule. In this case the link permission is separated into what is shown as the second rule: statement. 4. DFA: Expression Tree dump shows how these rules are combined together You will notice that the rule conversion statement is fairly redundant currently as it just show pcre to expression tree pcre. This will change when direct aare parsing occurs, but currently serves to verify the pcre conversion step. It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion from an aare straight to the expression tree, and dfaflag passing will become part of the rule set. 2010-07-23 13:29:35 +02:00			`uint32_t audit, int count, char **rulev, dfaflags_t flags);`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`void aare_create_dfa(aare_ruleset_t rules, size_t *size, dfaflags_t flags);`
add aare_reset_matchflags() to reset match flags Signed-Off-By: Kees Cook <kees.cook@canonical.com> 2009-07-24 07:33:09 +00:00			`void aare_reset_matchflags(void);`
Add dfa support to the parser 2007-02-27 02:29:16 +00:00
			`#ifdef __cplusplus`
			`}`
			`#endif`

			`#endif /* APPARMOR_RE_H */`