parser: minimization - remove unnecessary second minimization pass

Moving apply_and_clear_deny() before the first minimization pass, which was necessary to propperly support building accept information for older none extended permission dfas, allows us to also get rid of doing a second minimization pass if we want to force clearing explicit deny info from extended permission tables. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2024-05-10 03:06:22 -07:00
parent 1fa45b7c1f
commit 2737cb2c2b
21 changed files with 477 additions and 150 deletions
--- a/parser/mqueue.cc
+++ b/parser/mqueue.cc
@@ -231,10 +231,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 			/* store perms at name match so label doesn't need
 			 * to be checked
 			 */
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(
+						priority,
+						rule_mode,
+						map_mqueue_perms(perms),
+						audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
+						vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(priority,
+						rule_mode,
+						map_mqueue_perms(perms),
+						audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0,
+						size, vec, parseopts, false))
 				goto fail;
 		}
 	}
@@ -266,10 +275,19 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		}

 		if (perms & AA_VALID_SYSV_MQ_PERMS) {
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
+			if (!label &&
+			    !prof.policy.rules->add_rule_vec(priority,
+						rule_mode,
+						map_mqueue_perms(perms),
+						audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1,
+						vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(priority,
+						rule_mode,
+						map_mqueue_perms(perms),
+						audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0,
+						size, vec, parseopts, false))
 				goto fail;
 		}
 	}