mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 22:05:27 +00:00
Code Issues Releases Wiki Activity

parser: drop priority from state permissions

Browse Source 
The priority field is only used during state construction, and can
even prevent later optimizations like minimization. The parser already
explcitily clears the states priority field as part of the last thing
done during construction so it doesn't prevent minimization
optimizations.

This means the state priority not only wastes storage because it is
unused post construction but if used it could introduce regressions,
or other issues.

The change to the minimization tests just removes looking for the
priority field that is no longer reported.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit cc31a0da22)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2024-12-24 01:13:45 -08:00
parent 71dbc73532
commit 29f66c3828
3 changed files with 19 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
parser/libapparmor_re/hfa.cc
View File

@@ -508,11 +508,6 @@ DFA::DFA(Node *root, optflags const &opts, bool buildfiledfa): root(root), filed
*/ */
nnodes_cache.clear(); nnodes_cache.clear();
node_map.clear(); node_map.clear();
/* once created the priority information is no longer needed and
* can prevent sets with the same perms and different priorities
* from being merged during minimization
*/
clear_priorities();
} }
DFA::~DFA() DFA::~DFA()
@@ -666,13 +661,6 @@ int DFA::apply_and_clear_deny(void)
return c; return c;
} }
void DFA::clear_priorities(void)
{
for (Partition::iterator i = states.begin(); i != states.end(); i++)
(*i)->perms.priority = 0;
}
/* minimize the number of dfa states */ /* minimize the number of dfa states */
void DFA::minimize(optflags const &opts) void DFA::minimize(optflags const &opts)
@@ -1405,7 +1393,7 @@ int accept_perms(NodeVec *state, perms_t &perms, bool filedfa)
{ {
int error = 0; int error = 0;
perms_t exact; perms_t exact;
int priority = MIN_INTERNAL_PRIORITY;
perms.clear(); perms.clear();
if (!state) if (!state)
@@ -1416,12 +1404,13 @@ int accept_perms(NodeVec *state, perms_t &perms, bool filedfa)
continue; continue;
MatchFlag *match = static_cast<MatchFlag *>(*i); MatchFlag *match = static_cast<MatchFlag *>(*i);
if (perms.priority > match->priority) if (priority > match->priority)
continue; continue;
if (perms.priority < match->priority) { if (priority < match->priority) {
perms.clear(match->priority); priority = match->priority;
exact.clear(match->priority); perms.clear();
exact.clear();
} }
if (match->is_type(NODE_TYPE_EXACTMATCHFLAG)) { if (match->is_type(NODE_TYPE_EXACTMATCHFLAG)) {
/* exact match only ever happens with x */ /* exact match only ever happens with x */

20
parser/libapparmor_re/hfa.h
View File

@@ -52,37 +52,26 @@ ostream &operator<<(ostream &os, State &state);
class perms_t { class perms_t {
public: public:
perms_t(void): priority(MIN_INTERNAL_PRIORITY), allow(0), deny(0), prompt(0), audit(0), quiet(0), exact(0) { }; perms_t(void): allow(0), deny(0), prompt(0), audit(0), quiet(0), exact(0) { };
bool is_accept(void) { return (allow | deny | prompt | audit | quiet); } bool is_accept(void) { return (allow | deny | prompt | audit | quiet); }
void dump_header(ostream &os) void dump_header(ostream &os)
{ {
os << "priority (allow/deny/prompt/audit/quiet)"; os << "(allow/deny/prompt/audit/quiet)";
} }
void dump(ostream &os) void dump(ostream &os)
{ {
os << " " << priority << " (0x " << hex os << "(0x " << hex
<< allow << "/" << deny << "/" << "/" << prompt << "/" << audit << "/" << quiet << allow << "/" << deny << "/" << "/" << prompt << "/" << audit << "/" << quiet
<< ')' << dec; << ')' << dec;
} }
void clear(void) { void clear(void) {
priority = MIN_INTERNAL_PRIORITY;
allow = deny = prompt = audit = quiet = exact = 0;
}
void clear(int p) {
priority = p;
allow = deny = prompt = audit = quiet = exact = 0; allow = deny = prompt = audit = quiet = exact = 0;
} }
void add(perms_t &rhs, bool filedfa) void add(perms_t &rhs, bool filedfa)
{ {
if (priority > rhs.priority)
return;
if (priority < rhs.priority) {
*this = rhs;
return;
} //else if (rhs.priority == priority) {
deny |= rhs.deny; deny |= rhs.deny;
if (filedfa && !is_merged_x_consistent(allow & ALL_USER_EXEC, if (filedfa && !is_merged_x_consistent(allow & ALL_USER_EXEC,
@@ -156,8 +145,6 @@ public:
bool operator<(perms_t const &rhs)const bool operator<(perms_t const &rhs)const
{ {
if (priority < rhs.priority)
return priority < rhs.priority;
if (allow < rhs.allow) if (allow < rhs.allow)
return allow < rhs.allow; return allow < rhs.allow;
if (deny < rhs.deny) if (deny < rhs.deny)
@@ -169,7 +156,6 @@ public:
return quiet < rhs.quiet; return quiet < rhs.quiet;
} }
int priority;
perm32_t allow, deny, prompt, audit, quiet, exact; perm32_t allow, deny, prompt, audit, quiet, exact;
}; };

20
parser/tst/minimize.sh
View File

@@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
# {a} (0x 40030/0/0/0) # {a} (0x 40030/0/0/0)
echo -n "Minimize profiles basic perms " echo -n "Minimize profiles basic perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -93,7 +93,7 @@ echo "ok"
# {9} (0x 12804a/0/2800a/0) # {9} (0x 12804a/0/2800a/0)
# {c} (0x 40030/0/0/0) # {c} (0x 40030/0/0/0)
echo -n "Minimize profiles audit perms " echo -n "Minimize profiles audit perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -112,7 +112,7 @@ echo "ok"
# {c} (0x 40030/0/0/0) # {c} (0x 40030/0/0/0)
echo -n "Minimize profiles deny perms " echo -n "Minimize profiles deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -130,7 +130,7 @@ echo "ok"
# {c} (0x 40030/0/0/0) # {c} (0x 40030/0/0/0)
echo -n "Minimize profiles audit deny perms " echo -n "Minimize profiles audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 5 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -155,7 +155,7 @@ echo "ok"
## NOTE: change count from 6 to 7 when extend perms is not dependent on ## NOTE: change count from 6 to 7 when extend perms is not dependent on
## prompt rules being present ## prompt rules being present
echo -n "Minimize profiles extended no-filter audit deny perms " echo -n "Minimize profiles extended no-filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 7 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -173,7 +173,7 @@ echo "ok"
# {2} (0x 4/0//0/0/0) <- from policydb still showing up bug # {2} (0x 4/0//0/0/0) <- from policydb still showing up bug
echo -n "Minimize profiles extended filter audit deny perms " echo -n "Minimize profiles extended filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -208,7 +208,7 @@ echo "ok"
# #
echo -n "Minimize profiles xtrans " echo -n "Minimize profiles xtrans "
if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 3 ] ; then if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -216,7 +216,7 @@ echo "ok"
# same test as above + audit # same test as above + audit
echo -n "Minimize profiles audit xtrans " echo -n "Minimize profiles audit xtrans "
if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 3 ] ; then if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -229,7 +229,7 @@ echo "ok"
# {3} (0x 0/fe17f85/0/14005) # {3} (0x 0/fe17f85/0/14005)
echo -n "Minimize profiles deny xtrans " echo -n "Minimize profiles deny xtrans "
if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 1 ] ; then if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi
@@ -241,7 +241,7 @@ echo "ok"
# {3} (0x 0/fe17f85/0/0) # {3} (0x 0/fe17f85/0/0)
echo -n "Minimize profiles audit deny xtrans " echo -n "Minimize profiles audit deny xtrans "
if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 0 ] ; then if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
echo "failed" echo "failed"
exit 1; exit 1;
fi fi