apparmor/parser/libapparmor_re/apparmor_re.h

/*   $Id$
 *
 *   Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.
 *   (All rights reserved)
 *
 *   The libapparmor library is licensed under the terms of the GNU
 *   Lesser General Public License, version 2.1. Please see the file
 *   COPYING.LGPL.
 */

#ifndef APPARMOR_RE_H
#define APPARMOR_RE_H

typedef enum dfaflags {
  DFA_CONTROL_EQUIV =		1 << 0,
  DFA_CONTROL_NO_TREE_NORMAL =	1 << 1,
  DFA_CONTROL_NO_TREE_SIMPLE =	1 << 2,
  DFA_CONTROL_TREE_LEFT =	1 << 3,
  DFA_CONTROL_NO_MINIMIZE =	1 << 4,
  DFA_CONTROL_NO_HASH_PART =    1 << 5,
  DFA_CONTROL_NO_UNREACHABLE =	1 << 6,

  DFA_DUMP_TREE_STATS =		1 << 8,
  DFA_DUMP_TREE =		1 << 9,
  DFA_DUMP_SIMPLE_TREE =	1 << 10,
  DFA_DUMP_PROGRESS =		1 << 11,
  DFA_DUMP_STATS =		1 << 12,
  DFA_DUMP_STATES =		1 << 13,
  DFA_DUMP_GRAPH =		1 << 14,
  DFA_DUMP_TRANS_PROGRESS =	1 << 15,
  DFA_DUMP_TRANS_STATS =	1 << 16,
  DFA_DUMP_TRANS_TABLE =	1 << 17,
  DFA_DUMP_EQUIV =		1 << 18,
  DFA_DUMP_EQUIV_STATS =	1 << 19,
  DFA_DUMP_MINIMIZE =		1 << 20,
  DFA_DUMP_UNREACHABLE =	1 << 22,
} dfaflags_t;

#ifdef __cplusplus
extern "C" {
#endif

struct aare_ruleset;

typedef struct aare_ruleset aare_ruleset_t;

aare_ruleset_t *aare_new_ruleset(int reverse);
void aare_delete_ruleset(aare_ruleset_t *rules);
int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
		  uint32_t perms, uint32_t audit);
int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
		      uint32_t audit, int count, char **rulev);
void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
void aare_reset_matchflags(void);

#ifdef __cplusplus
}
#endif

#endif /* APPARMOR_RE_H */
clear remaining $Id$ tags, since bzr does not suppor them 2009-11-11 10:44:26 -08:00			`/* $Id$`
update copyright dates 2007-04-11 08:12:51 +00:00			`*`
			`* Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.`
			`* (All rights reserved)`
			`*`
			`* The libapparmor library is licensed under the terms of the GNU`
			`* Lesser General Public License, version 2.1. Please see the file`
			`* COPYING.LGPL.`
			`*/`
Add dfa support to the parser 2007-02-27 02:29:16 +00:00
			`#ifndef APPARMOR_RE_H`
			`#define APPARMOR_RE_H`

Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`typedef enum dfaflags {`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`DFA_CONTROL_EQUIV = 1 << 0,`
			`DFA_CONTROL_NO_TREE_NORMAL = 1 << 1,`
			`DFA_CONTROL_NO_TREE_SIMPLE = 1 << 2,`
			`DFA_CONTROL_TREE_LEFT = 1 << 3,`
Dfa minimization and unreachable state removal Add basic Hopcroft based dfa minimization. It currently does a simple straight state comparison that can be quadratic in time to split partitions. This is offset however by using hashing to setup the initial partitions so that the number of states within a partition are relative few. The hashing of states for initial partition setup is linear in time. This means the closer the initial partition set is to the final set, the closer the algorithm is to completing in a linear time. The hashing works as follows: For each state we know the number of transitions that are not the default transition. For each of of these we hash the set of letters it can transition on using a simple djb2 hash algorithm. This creates a unique hash based on the number of transitions and the input it can transition on. If a state does not have the same hash we know it can not the same as another because it either has a different number of transitions or or transitions on a different set. To further distiguish states, the number of transitions of each transitions target state are added into the hash. This serves to further distiguish states as a transition to a state with a different number of transitions can not possibly be reduced to an equivalent state. A further distinction of states is made for accepting states in that we know each state with a unique set of accept permissions must be in its own partition to ensure the unique accept permissions are in the final dfa. The unreachable state removal is a basic walk of the dfa from the start state marking all states that are reached. It then sweeps any state not reached away. This does not do dead state removal where a non accepting state gets into a loop that will never result in an accepting state. 2010-01-20 03:32:34 -08:00			`DFA_CONTROL_NO_MINIMIZE = 1 << 4,`
			`DFA_CONTROL_NO_HASH_PART = 1 << 5,`
			`DFA_CONTROL_NO_UNREACHABLE = 1 << 6,`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00
Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`DFA_DUMP_TREE_STATS = 1 << 8,`
			`DFA_DUMP_TREE = 1 << 9,`
			`DFA_DUMP_SIMPLE_TREE = 1 << 10,`
			`DFA_DUMP_PROGRESS = 1 << 11,`
			`DFA_DUMP_STATS = 1 << 12,`
			`DFA_DUMP_STATES = 1 << 13,`
			`DFA_DUMP_GRAPH = 1 << 14,`
			`DFA_DUMP_TRANS_PROGRESS = 1 << 15,`
			`DFA_DUMP_TRANS_STATS = 1 << 16,`
			`DFA_DUMP_TRANS_TABLE = 1 << 17,`
			`DFA_DUMP_EQUIV = 1 << 18,`
			`DFA_DUMP_EQUIV_STATS = 1 << 19,`
Dfa minimization and unreachable state removal Add basic Hopcroft based dfa minimization. It currently does a simple straight state comparison that can be quadratic in time to split partitions. This is offset however by using hashing to setup the initial partitions so that the number of states within a partition are relative few. The hashing of states for initial partition setup is linear in time. This means the closer the initial partition set is to the final set, the closer the algorithm is to completing in a linear time. The hashing works as follows: For each state we know the number of transitions that are not the default transition. For each of of these we hash the set of letters it can transition on using a simple djb2 hash algorithm. This creates a unique hash based on the number of transitions and the input it can transition on. If a state does not have the same hash we know it can not the same as another because it either has a different number of transitions or or transitions on a different set. To further distiguish states, the number of transitions of each transitions target state are added into the hash. This serves to further distiguish states as a transition to a state with a different number of transitions can not possibly be reduced to an equivalent state. A further distinction of states is made for accepting states in that we know each state with a unique set of accept permissions must be in its own partition to ensure the unique accept permissions are in the final dfa. The unreachable state removal is a basic walk of the dfa from the start state marking all states that are reached. It then sweeps any state not reached away. This does not do dead state removal where a non accepting state gets into a loop that will never result in an accepting state. 2010-01-20 03:32:34 -08:00			`DFA_DUMP_MINIMIZE = 1 << 20,`
			`DFA_DUMP_UNREACHABLE = 1 << 22,`
Add basic dfa stats and debug dumps for equivelence classes expr tree (add stats, update parser switch) dfa transition table 2010-01-08 02:17:45 -08:00			`} dfaflags_t;`

Add dfa support to the parser 2007-02-27 02:29:16 +00:00			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif`

			`struct aare_ruleset;`

			`typedef struct aare_ruleset aare_ruleset_t;`

			`aare_ruleset_t *aare_new_ruleset(int reverse);`
			`void aare_delete_ruleset(aare_ruleset_t *rules);`
Update the parse to emit a 0 to seperate pairs in the dfa. This was always the intended behavior and fixes a bug where the dfa will match change profile rules using // seperator. 2008-03-13 16:46:19 +00:00			`int aare_add_rule(aare_ruleset_t rules, char rule, int deny,`
			`uint32_t perms, uint32_t audit);`
			`int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,`
			`uint32_t audit, int count, char **rulev);`
Add basic controls for dfa optimization 2010-01-08 04:30:56 -08:00			`void aare_create_dfa(aare_ruleset_t rules, size_t *size, dfaflags_t flags);`
add aare_reset_matchflags() to reset match flags Signed-Off-By: Kees Cook <kees.cook@canonical.com> 2009-07-24 07:33:09 +00:00			`void aare_reset_matchflags(void);`
Add dfa support to the parser 2007-02-27 02:29:16 +00:00
			`#ifdef __cplusplus`
			`}`
			`#endif`

			`#endif /* APPARMOR_RE_H */`