mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

parser: minimization - remove unnecessary second minimization pass

Browse Source 
Moving apply_and_clear_deny() before the first minimization pass, which
was necessary to propperly support building accept information for
older none extended permission dfas, allows us to also get rid of doing a
second minimization pass if we want to force clearing explicit deny
info from extended permission tables.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2024-05-10 03:06:22 -07:00
parent 1fa45b7c1f
commit 2737cb2c2b
21 changed files with 477 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
parser/libapparmor_re/aare_rules.h
View File

@@ -35,6 +35,7 @@
class UniquePerm {
public:
int priority;
rule_mode_t mode;
bool exact_match;
uint32_t perms;
@@ -42,6 +43,8 @@ public:
bool operator<(UniquePerm const &rhs)const
{
if (priority < rhs.priority)
return priority < rhs.priority;
if (mode >= rhs.mode) {
if (exact_match == rhs.exact_match) {
if (perms == rhs.perms)
@@ -71,21 +74,21 @@ public:
nodes.clear();
}
Node *insert(rule_mode_t mode, uint32_t perms, uint32_t audit,
bool exact_match)
Node *insert(int priority, rule_mode_t mode, uint32_t perms,
uint32_t audit, bool exact_match)
{
UniquePerm tmp = { mode, exact_match, perms, audit };
UniquePerm tmp = { priority, mode, exact_match, perms, audit };
iterator res = nodes.find(tmp);
if (res == nodes.end()) {
Node *node;
if (mode == RULE_DENY)
node = new DenyMatchFlag(perms, audit);
node = new DenyMatchFlag(priority, perms, audit);
else if (mode == RULE_PROMPT)
node = new PromptMatchFlag(perms, audit);
node = new PromptMatchFlag(priority, perms, audit);
else if (exact_match)
node = new ExactMatchFlag(perms, audit);
node = new ExactMatchFlag(priority, perms, audit);
else
node = new MatchFlag(perms, audit);
node = new MatchFlag(priority, perms, audit);
pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));
if (val.second == false)
return val.first->second;
@@ -109,11 +112,11 @@ class aare_rules {
aare_rules(int reverse): root(NULL), unique_perms(), expr_map(), reverse(reverse), rule_count(0) { };
~aare_rules();
bool add_rule(const char *rule, rule_mode_t mode, perm32_t perms,
perm32_t audit, optflags const &opts);
bool add_rule_vec(rule_mode_t mode, perm32_t perms, perm32_t audit,
int count, const char **rulev, optflags const &opts,
bool oob);
bool add_rule(const char *rule, int priority, rule_mode_t mode,
perm32_t perms, perm32_t audit, optflags const &opts);
bool add_rule_vec(int priority, rule_mode_t mode, perm32_t perms,
perm32_t audit, int count, const char **rulev,
optflags const &opts, bool oob);
bool append_rule(const char *rule, bool oob, bool with_perm, optflags const &opts);
CHFA *create_chfa(int *min_match_len,
vector <aa_perms> &perms_table,