mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

parser: drop unused create_welded_dfablob and related code

Browse Source 
Their is no reason for the parse to stitch 2 dfas together this way.
In the future there will be better ways to do this using unconpressed
dfas.

Dropping this also allows for some simplification, in other parts of
the code.

Drop the dead/unused code

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2025-07-30 16:46:02 -07:00
parent 0f36070a54
commit 0430080a16
5 changed files with 11 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
parser/libapparmor_re/aare_rules.cc
View File

@ -203,7 +203,7 @@ bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm,
CHFA *aare_rules::create_chfa(int *min_match_len, CHFA *aare_rules::create_chfa(int *min_match_len,
vector <aa_perms> &perms_table, vector <aa_perms> &perms_table,
optflags const &opts, bool filedfa, optflags const &opts, bool filedfa,
bool extended_perms, bool prompt) bool extended_perms)
{ {
/* finish constructing the expr tree from the different permission /* finish constructing the expr tree from the different permission
* set nodes */ * set nodes */
@ -329,7 +329,7 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
cerr << "\n"; cerr << "\n";
} }
} }
chfa = new CHFA(dfa, eq, opts, extended_perms, prompt); chfa = new CHFA(dfa, eq, opts, extended_perms);
if (opts.dump & DUMP_DFA_TRANS_TABLE) if (opts.dump & DUMP_DFA_TRANS_TABLE)
chfa->dump(cerr); chfa->dump(cerr);
if (opts.dump & DUMP_DFA_COMPTRESSED_STATES) if (opts.dump & DUMP_DFA_COMPTRESSED_STATES)
@ -350,15 +350,14 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
void *aare_rules::create_dfablob(size_t *size, int *min_match_len, void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
vector <aa_perms> &perms_table, vector <aa_perms> &perms_table,
optflags const &opts, bool filedfa, optflags const &opts, bool filedfa,
bool extended_perms, bool prompt) bool extended_perms)
{ {
char *buffer = NULL; char *buffer = NULL;
stringstream stream; stringstream stream;
try { try {
CHFA *chfa = create_chfa(min_match_len, perms_table, CHFA *chfa = create_chfa(min_match_len, perms_table,
opts, filedfa, extended_perms, opts, filedfa, extended_perms);
prompt);
if (!chfa) { if (!chfa) {
*size = 0; *size = 0;
return NULL; return NULL;
@ -383,82 +382,3 @@ void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
return buffer; return buffer;
} }
/* create a dfa from the ruleset
* returns: buffer contain dfa tables, @size set to the size of the tables
* else NULL on failure, @min_match_len set to the shortest string
* that can match the dfa for determining xmatch priority.
*/
void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
size_t *size, int *min_match_len,
size_t *new_start,
vector <aa_perms> &perms_table,
optflags const &opts,
bool extended_perms, bool prompt)
{
int file_min_len;
vector <aa_perms> file_perms;
CHFA *file_chfa;
try {
file_chfa = file_rules->create_chfa(&file_min_len,
file_perms, opts,
true, extended_perms, prompt);
if (!file_chfa) {
*size = 0;
return NULL;
}
}
catch(int error) {
*size = 0;
return NULL;
}
CHFA *policy_chfa;
try {
policy_chfa = create_chfa(min_match_len,
perms_table, opts,
false, extended_perms, prompt);
if (!policy_chfa) {
delete file_chfa;
*size = 0;
return NULL;
}
}
catch(int error) {
delete file_chfa;
*size = 0;
return NULL;
}
stringstream stream;
try {
policy_chfa->weld_file_to_policy(*file_chfa, *new_start,
extended_perms, prompt,
perms_table, file_perms);
policy_chfa->flex_table(stream, opts);
}
catch(int error) {
delete (file_chfa);
delete (policy_chfa);
*size = 0;
return NULL;
}
delete file_chfa;
delete policy_chfa;
/* write blob to buffer */
stringbuf *buf = stream.rdbuf();
buf->pubseekpos(0);
*size = buf->in_avail();
if (file_min_len < *min_match_len)
*min_match_len = file_min_len;
char *buffer = (char *)malloc(*size);
if (!buffer)
return NULL;
buf->sgetn(buffer, *size);
return buffer;
}

10
parser/libapparmor_re/aare_rules.h
View File

@ -123,17 +123,11 @@ class aare_rules {
CHFA *create_chfa(int *min_match_len, CHFA *create_chfa(int *min_match_len,
std::vector <aa_perms> &perms_table, std::vector <aa_perms> &perms_table,
optflags const &opts, bool filedfa, optflags const &opts, bool filedfa,
bool extended_perms, bool prompt); bool extended_perms);
void *create_dfablob(size_t *size, int *min_match_len, void *create_dfablob(size_t *size, int *min_match_len,
std::vector <aa_perms> &perms_table, std::vector <aa_perms> &perms_table,
optflags const &opts, optflags const &opts,
bool filedfa, bool extended_perms, bool prompt); bool filedfa, bool extended_perms);
void *create_welded_dfablob(aare_rules *file_rules,
size_t *size, int *min_match_len,
size_t *new_start,
std::vector <aa_perms> &perms_table,
optflags const &opts,
bool extended_perms, bool prompt);
}; };
#endif /* __LIBAA_RE_RULES_H */ #endif /* __LIBAA_RE_RULES_H */

115
parser/libapparmor_re/chfa.cc
View File

@ -59,7 +59,7 @@ void CHFA::init_free_list(vector<pair<size_t, size_t> > &free_list,
* permtable index flag * permtable index flag
*/ */
CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts, CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
bool permindex, bool prompt): eq(eq) bool permindex): eq(eq)
{ {
if (opts.dump & DUMP_DFA_TRANS_PROGRESS) if (opts.dump & DUMP_DFA_TRANS_PROGRESS)
fprintf(stderr, "Compressing HFA:\r"); fprintf(stderr, "Compressing HFA:\r");
@ -515,116 +515,3 @@ void CHFA::flex_table(ostream &os, optflags const &opts) {
flex_table_serialize<uint16_t>(*this, os, (1 << 16) - 1); flex_table_serialize<uint16_t>(*this, os, (1 << 16) - 1);
} }
} }
/*
* @file_chfa: chfa to add on to the policy chfa
* @new_start: new start state for where the @file_dfa is in the new chfa
*
* Make a new chfa that is a combination of policy and file chfas. It
* assumes policy is built with AA_CLASS_FILE support transition. The
* resultant chfa will have file states and indexes offset except for
* start and null states.
*
* NOTE:
* - modifies chfa
* requires:
* - no ec
* - policy chfa has transitions state[start].next[AA_CLASS_FILE]
* - policy perms table is build if using permstable
*/
void CHFA::weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
bool accept_idx, bool prompt,
vector <aa_perms> &policy_perms,
vector <aa_perms> &file_perms)
{
// doesn't support remapping eq classes yet
if (eq.size() > 0 || file_chfa.eq.size() > 0)
throw 1;
size_t old_base_size = default_base.size();
size_t old_next_size = next_check.size();
const State *nonmatching = default_base[0].first;
//const State *start = default_base[1].first;
const State *file_nonmatching = file_chfa.default_base[0].first;
// renumber states from file_dfa by appending to policy dfa
num.insert(make_pair(file_nonmatching, 0)); // remap to policy nonmatching
for (map<const State *, size_t>::iterator i = file_chfa.num.begin(); i != file_chfa.num.end() ; i++) {
if (i->first == file_nonmatching)
continue;
num.insert(make_pair(i->first, i->second + old_base_size));
}
// handle default and base table expansion, and setup renumbering
// while we remap file_nonmatch within the table, we still keep its
// slot.
bool first = true;
for (DefaultBase::iterator i = file_chfa.default_base.begin(); i != file_chfa.default_base.end(); i++) {
const State *def;
size_t base;
if (first) {
first = false;
// remap file_nonmatch to nonmatch
def = nonmatching;
base = 0;
} else {
def = i->first;
base = i->second + old_next_size;
}
default_base.push_back(make_pair(def, base));
}
// mapping for these are handled by num[]
for (NextCheck::iterator i = file_chfa.next_check.begin(); i != file_chfa.next_check.end(); i++) {
next_check.push_back(*i);
}
// append file perms to policy perms, and rework permsidx if needed
if (accept_idx) {
// policy idx double
// file + doubled offset
// Requires: policy perms table, so we can double and
// update indexes
// * file perm idx to start on even idx
// * policy perms table size to double and entries
// to repeat
assert(accept.size() == old_base_size);
accept.resize(accept.size() + file_chfa.accept.size());
assert(policy_perms.size() < std::numeric_limits<ssize_t>::max());
ssize_t size = (ssize_t) policy_perms.size();
policy_perms.resize(size*2 + file_perms.size());
// shift and double the policy perms
for (ssize_t i = size - 1; i >= 0; i--) {
policy_perms[i*2] = policy_perms[i];
policy_perms[i*2 + 1] = policy_perms[i];
}
// update policy accept idx for the new shifted perms table
for (size_t i = 0; i < old_base_size; i++) {
accept[i] = accept[i]*2;
}
// copy over file perms
for (size_t i = 0; i < file_perms.size(); i++) {
policy_perms[size*2 + i] = file_perms[i];
}
// shift file accept indexs
for (size_t i = 0; i < file_chfa.accept.size(); i++) {
accept[old_base_size + i] = file_chfa.accept[i] + size*2;
}
} else {
// perms are stored in accept just append the perms
size_t size = accept.size();
accept.resize(size + file_chfa.accept.size());
accept2.resize(size + file_chfa.accept.size());
for (size_t i = 0; i < file_chfa.accept.size(); i++) {
accept[size + i] = file_chfa.accept[i];
accept2[size + i] = file_chfa.accept2[i];
}
}
// Rework transition state[start].next[AA_CLASS_FILE]
next_check[default_base[1].second + AA_CLASS_FILE].first = file_chfa.start;
new_start = num[file_chfa.start];
}

6
parser/libapparmor_re/chfa.h
View File

@ -39,7 +39,7 @@ class CHFA {
public: public:
CHFA(void); CHFA(void);
CHFA(DFA &dfa, std::map<transchar, transchar> &eq, optflags const &opts, CHFA(DFA &dfa, std::map<transchar, transchar> &eq, optflags const &opts,
bool permindex, bool prompt); bool permindex);
void dump(ostream & os); void dump(ostream & os);
void flex_table(ostream &os, optflags const &opts); void flex_table(ostream &os, optflags const &opts);
void init_free_list(std::vector<std::pair<size_t, size_t> > &free_list, void init_free_list(std::vector<std::pair<size_t, size_t> > &free_list,
@ -48,10 +48,6 @@ class CHFA {
StateTrans &cases); StateTrans &cases);
void insert_state(std::vector<std::pair<size_t, size_t> > &free_list, void insert_state(std::vector<std::pair<size_t, size_t> > &free_list,
State *state, DFA &dfa); State *state, DFA &dfa);
void weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
bool accept_idx, bool prompt,
std::vector <aa_perms> &policy_perms,
std::vector <aa_perms> &file_perms);
// private: // private:
// sigh templates suck, friend declaration does not work so for now // sigh templates suck, friend declaration does not work so for now

8
parser/parser_regex.c
View File

@ -578,7 +578,7 @@ build:
* *
* we don't need to build xmatch for permstable32, so don't * we don't need to build xmatch for permstable32, so don't
*/ */
prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false, false); prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false);
delete rules; delete rules;
if (!prof->xmatch) if (!prof->xmatch)
return false; return false;
@ -791,8 +791,7 @@ int process_profile_regex(Profile *prof)
prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size, prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
&xmatch_len, prof->dfa.perms_table, &xmatch_len, prof->dfa.perms_table,
parseopts, true, parseopts, true,
kernel_supports_permstable32, kernel_supports_permstable32);
prof->uses_prompt_rules);
delete prof->dfa.rules; delete prof->dfa.rules;
prof->dfa.rules = NULL; prof->dfa.rules = NULL;
if (!prof->dfa.dfa) if (!prof->dfa.dfa)
@ -1159,8 +1158,7 @@ int process_profile_policydb(Profile *prof)
&xmatch_len, &xmatch_len,
prof->policy.perms_table, prof->policy.perms_table,
parseopts, false, parseopts, false,
kernel_supports_permstable32, kernel_supports_permstable32);
prof->uses_prompt_rules);
delete prof->policy.rules; delete prof->policy.rules;
prof->policy.rules = NULL; prof->policy.rules = NULL;