mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-28 12:58:07 +00:00
Code Issues Releases Wiki Activity

Lindent + some hand cleanups hfa

Browse Source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@gmail.com>
This commit is contained in:
John Johansen 2011-03-13 05:55:25 -07:00
parent 3cfe47d3f0
commit 9a377bb9da
3 changed files with 319 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
parser/libapparmor_re/hfa.cc
View File

@ -35,8 +35,6 @@
#include "hfa.h"
#include "../immunix.h"
ostream &operator<<(ostream &os, const State &state)
{
/* dump the state label */
@ -46,7 +44,9 @@ ostream& operator<<(ostream& os, const State& state)
return os;
}
State* DFA::add_new_state(NodeMap &nodemap, pair <unsigned long, NodeSet *> index, NodeSet *nodes, dfa_stats_t &stats)
State *DFA::add_new_state(NodeMap &nodemap,
pair<unsigned long, NodeSet *> index,
NodeSet *nodes, dfa_stats_t &stats)
{
State *state = new State(nodemap.size(), nodes);
states.push_back(state);
@ -82,9 +82,8 @@ State *DFA::find_target_state(NodeMap &nodemap, list <State *> &work_queue,
return target;
}
void DFA::update_state_transitions(NodeMap &nodemap,
list <State *> &work_queue, State *state,
dfa_stats_t &stats)
void DFA::update_state_transitions(NodeMap &nodemap, list<State *> &work_queue,
State *state, dfa_stats_t &stats)
{
/* Compute possible transitions for state->nodes. This is done by
* iterating over all the nodes in state->nodes and combining the
@ -113,8 +112,7 @@ void DFA::update_state_transitions(NodeMap &nodemap,
*/
for (NodeCases::iterator j = cases.begin(); j != cases.end(); j++) {
State *target;
target = find_target_state(nodemap, work_queue, j->second,
stats);
target = find_target_state(nodemap, work_queue, j->second, stats);
/* Don't insert transition that the default transition
* already covers
@ -124,7 +122,6 @@ void DFA::update_state_transitions(NodeMap &nodemap,
}
}
/* WARNING: This routine can only be called from within DFA creation as
* the nodes value is only valid during dfa construction.
*/
@ -185,7 +182,9 @@ DFA::DFA(Node *root, dfaflags_t flags) : root(root)
while (!work_queue.empty()) {
if (i % 1000 == 0 && (flags & DFA_DUMP_PROGRESS))
fprintf(stderr, "\033[2KCreating dfa: queue %ld\tstates %ld\teliminated duplicates %d\r", work_queue.size(), states.size(), stats.duplicates);
fprintf(stderr, "\033[2KCreating dfa: queue %ld\tstates %ld\teliminated duplicates %d\r",
work_queue.size(), states.size(),
stats.duplicates);
i++;
State *from = work_queue.front();
@ -196,7 +195,7 @@ DFA::DFA(Node *root, dfaflags_t flags) : root(root)
*/
update_state_transitions(nodemap, work_queue, from, stats);
} /* for (NodeSet *nodes ... */
} /* while (!work_queue.empty()) */
/* cleanup Sets of nodes used computing the DFA as they are no longer
* needed.
@ -215,11 +214,12 @@ DFA::DFA(Node *root, dfaflags_t flags) : root(root)
nodemap.clear();
if (flags & (DFA_DUMP_STATS))
fprintf(stderr, "\033[2KCreated dfa: states %ld,\teliminated duplicates %d,\tprotostate sets: longest %u, avg %u\n", states.size(), stats.duplicates, stats.proto_max, (unsigned int) (stats.proto_sum/states.size()));
fprintf(stderr, "\033[2KCreated dfa: states %ld,\teliminated duplicates %d,\tprotostate sets: longest %u, avg %u\n",
states.size(), stats.duplicates, stats.proto_max,
(unsigned int)(stats.proto_sum / states.size()));
}
DFA::~DFA()
{
for (Partition::iterator i = states.begin(); i != states.end(); i++)
@ -240,7 +240,6 @@ void DFA::dump_uniq_perms(const char *s)
}
}
/* Remove dead or unreachable states */
void DFA::remove_unreachable(dfaflags_t flags)
{
@ -259,8 +258,7 @@ void DFA::remove_unreachable(dfaflags_t flags)
(reachable.find(from->cases.otherwise) == reachable.end()))
work_queue.push_back(from->cases.otherwise);
for (Cases::iterator j = from->cases.begin();
j != from->cases.end(); j++) {
for (Cases::iterator j = from->cases.begin(); j != from->cases.end(); j++) {
if (reachable.find(j->second) == reachable.end())
work_queue.push_back(j->second);
}
@ -280,10 +278,12 @@ void DFA::remove_unreachable(dfaflags_t flags)
if (*i == start)
cerr << " <==";
if ((*i)->accept) {
cerr << " (0x" << hex << (*i)->accept
<< " " << (*i)->audit << dec << ')';
cerr << " (0x" << hex
<< (*i)->accept << " "
<< (*i)->audit << dec
<< ')';
}
cerr << endl;
cerr << "\n";
}
State *current = *i;
states.erase(i);
@ -314,8 +314,7 @@ bool DFA::same_mappings(State *s1, State *s2)
if (s1->cases.cases.size() != s2->cases.cases.size())
return false;
for (Cases::iterator j1 = s1->cases.begin(); j1 != s1->cases.end();
j1++){
for (Cases::iterator j1 = s1->cases.begin(); j1 != s1->cases.end(); j1++) {
Cases::iterator j2 = s2->cases.cases.find(j1->first);
if (j2 == s2->cases.end())
return false;
@ -383,7 +382,6 @@ void DFA::minimize(dfaflags_t flags)
/* combine all perms together into a single parition */
perm_hash = 1;
} /* else not an accept state so 0 for perm_hash */
size_t trans_hash = 0;
if (flags & DFA_CONTROL_MINIMIZE_HASH_TRANS)
trans_hash = hash_trans(*i);
@ -402,9 +400,10 @@ void DFA::minimize(dfaflags_t flags)
p->second->push_back(*i);
}
if ((flags & DFA_DUMP_PROGRESS) &&
(partitions.size() % 1000 == 0))
cerr << "\033[2KMinimize dfa: partitions " << partitions.size() << "\tinit " << partitions.size() << " (accept " << accept_count << ")\r";
if ((flags & DFA_DUMP_PROGRESS) && (partitions.size() % 1000 == 0))
cerr << "\033[2KMinimize dfa: partitions "
<< partitions.size() << "\tinit " << partitions.size()
<< " (accept " << accept_count << ")\r";
}
/* perm_map is no longer needed so free the memory it is using.
@ -414,7 +413,9 @@ void DFA::minimize(dfaflags_t flags)
int init_count = partitions.size();
if (flags & DFA_DUMP_PROGRESS)
cerr << "\033[2KMinimize dfa: partitions " << partitions.size() << "\tinit " << init_count << " (accept " << accept_count << ")\r";
cerr << "\033[2KMinimize dfa: partitions " << partitions.size()
<< "\tinit " << init_count << " (accept "
<< accept_count << ")\r";
/* Now do repartitioning until each partition contains the set of
* states that are the same. This will happen when the partition
@ -430,8 +431,7 @@ void DFA::minimize(dfaflags_t flags)
new_part = NULL;
State *rep = *((*p)->begin());
Partition::iterator next;
for (Partition::iterator s = ++(*p)->begin();
s != (*p)->end(); ) {
for (Partition::iterator s = ++(*p)->begin(); s != (*p)->end();) {
if (same_mappings(rep, *s)) {
++s;
continue;
@ -454,16 +454,19 @@ void DFA::minimize(dfaflags_t flags)
(*m)->partition = new_part;
}
}
if ((flags & DFA_DUMP_PROGRESS) &&
(partitions.size() % 100 == 0))
cerr << "\033[2KMinimize dfa: partitions " << partitions.size() << "\tinit " << init_count << " (accept " << accept_count << ")\r";
if ((flags & DFA_DUMP_PROGRESS) && (partitions.size() % 100 == 0))
cerr << "\033[2KMinimize dfa: partitions "
<< partitions.size() << "\tinit "
<< init_count << " (accept "
<< accept_count << ")\r";
}
} while (new_part_count);
if (partitions.size() == states.size()) {
if (flags & DFA_DUMP_STATS)
cerr << "\033[2KDfa minimization no states removed: partitions " << partitions.size() << "\tinit " << init_count << " (accept " << accept_count << ")\n";
cerr << "\033[2KDfa minimization no states removed: partitions "
<< partitions.size() << "\tinit " << init_count
<< " (accept " << accept_count << ")\n";
goto out;
}
@ -484,8 +487,7 @@ void DFA::minimize(dfaflags_t flags)
Partition *partition = rep->cases.otherwise->partition;
rep->cases.otherwise = *partition->begin();
}
for (Cases::iterator c = rep->cases.begin();
c != rep->cases.end(); c++) {
for (Cases::iterator c = rep->cases.begin(); c != rep->cases.end(); c++) {
Partition *partition = c->second->partition;
c->second = *partition->begin();
}
@ -506,9 +508,10 @@ void DFA::minimize(dfaflags_t flags)
//cerr << "\n";
}
if (flags & DFA_DUMP_STATS)
cerr << "\033[2KMinimized dfa: final partitions " << partitions.size() << " (accept " << final_accept << ")" << "\tinit " << init_count << " (accept " << accept_count << ")\n";
cerr << "\033[2KMinimized dfa: final partitions "
<< partitions.size() << " (accept " << final_accept
<< ")" << "\tinit " << init_count << " (accept "
<< accept_count << ")\n";
/* make sure nonmatching and start state are up to date with the
* mappings */
@ -557,21 +560,24 @@ void DFA::dump(ostream& os)
if (*i == start)
os << " <==";
if ((*i)->accept) {
os << " (0x" << hex << (*i)->accept << " " << (*i)->audit << dec << ')';
os << " (0x" << hex << (*i)->accept << " "
<< (*i)->audit << dec << ')';
}
os << endl;
os << "\n";
}
}
os << endl;
os << "\n";
for (Partition::iterator i = states.begin(); i != states.end(); i++) {
if ((*i)->cases.otherwise)
os << **i << " -> " << (*i)->cases.otherwise << endl;
for (Cases::iterator j = (*i)->cases.begin(); j != (*i)->cases.end(); j++) {
os << **i << " -> " << j->second << ": " << j->first << endl;
os << **i << " -> " << (*i)->cases.otherwise << "\n";
for (Cases::iterator j = (*i)->cases.begin();
j != (*i)->cases.end(); j++) {
os << **i << " -> " << j->second << ": "
<< j->first << "\n";
}
}
os << endl;
os << "\n";
}
/**
@ -579,22 +585,22 @@ void DFA::dump(ostream& os)
*/
void DFA::dump_dot_graph(ostream & os)
{
os << "digraph \"dfa\" {" << endl;
os << "digraph \"dfa\" {" << "\n";
for (Partition::iterator i = states.begin(); i != states.end(); i++) {
if (*i == nonmatching)
continue;
os << "\t\"" << **i << "\" [" << endl;
os << "\t\"" << **i << "\" [" << "\n";
if (*i == start) {
os << "\t\tstyle=bold" << endl;
os << "\t\tstyle=bold" << "\n";
}
uint32_t perms = (*i)->accept;
if (perms) {
os << "\t\tlabel=\"" << **i << "\\n("
<< perms << ")\"" << endl;
<< perms << ")\"" << "\n";
}
os << "\t]" << endl;
os << "\t]" << "\n";
}
for (Partition::iterator i = states.begin(); i != states.end(); i++) {
Cases &cases = (*i)->cases;
@ -604,28 +610,27 @@ void DFA::dump_dot_graph(ostream& os)
if (j->second == nonmatching)
excluded.insert(j->first);
else {
os << "\t\"" << **i << "\" -> \"";
os << j->second << "\" [" << endl;
os << "\t\tlabel=\"" << j->first << "\"" << endl;
os << "\t]" << endl;
os << "\t\"" << **i << "\" -> \"" << j->second
<< "\" [" << "\n";
os << "\t\tlabel=\"" << j-> first << "\"\n";
os << "\t]" << "\n";
}
}
if (cases.otherwise && cases.otherwise != nonmatching) {
os << "\t\"" << **i << "\" -> \"" << cases.otherwise
<< "\" [" << endl;
<< "\" [" << "\n";
if (!excluded.empty()) {
os << "\t\tlabel=\"[^";
for (Chars::iterator i = excluded.begin();
i != excluded.end();
i++) {
i != excluded.end(); i++) {
os << *i;
}
os << "]\"" << endl;
os << "]\"" << "\n";
}
os << "\t]" << endl;
os << "\t]" << "\n";
}
}
os << '}' << endl;
os << '}' << "\n";
}
/**
@ -646,20 +651,16 @@ map<uchar, uchar> DFA::equivalence_classes(dfaflags_t flags)
node_sets[j->second].insert(j->first);
for (map<const State *, Chars>::iterator j = node_sets.begin();
j != node_sets.end();
j++) {
j != node_sets.end(); j++) {
/* Group edges to the same next state together by class */
map<uchar, Chars> node_classes;
bool class_used = false;
for (Chars::iterator k = j->second.begin();
k != j->second.end();
k++) {
pair<map<uchar, uchar>::iterator, bool> x =
classes.insert(make_pair(*k, next_class));
k != j->second.end(); k++) {
pair<map<uchar, uchar>::iterator, bool> x = classes.insert(make_pair(*k, next_class));
if (x.second)
class_used = true;
pair<map<uchar, Chars>::iterator, bool> y =
node_classes.insert(make_pair(x.first->second, Chars()));
pair<map<uchar, Chars>::iterator, bool> y = node_classes.insert(make_pair(x.first->second, Chars()));
y.first->second.insert(*k);
}
if (class_used) {
@ -667,11 +668,11 @@ map<uchar, uchar> DFA::equivalence_classes(dfaflags_t flags)
class_used = false;
}
for (map<uchar, Chars>::iterator k = node_classes.begin();
k != node_classes.end();
k++) {
k != node_classes.end(); k++) {
/**
* If any other characters are in the same class, move
* the characters in this class into their own new class
* the characters in this class into their own new
* class
*/
map<uchar, uchar>::iterator l;
for (l = classes.begin(); l != classes.end(); l++) {
@ -683,8 +684,7 @@ map<uchar, uchar> DFA::equivalence_classes(dfaflags_t flags)
}
if (class_used) {
for (Chars::iterator l = k->second.begin();
l != k->second.end();
l++) {
l != k->second.end(); l++) {
classes[*l] = next_class;
}
next_class++;
@ -695,7 +695,8 @@ map<uchar, uchar> DFA::equivalence_classes(dfaflags_t flags)
}
if (flags & DFA_DUMP_EQUIV_STATS)
fprintf(stderr, "Equiv class reduces to %d classes\n", next_class - 1);
fprintf(stderr, "Equiv class reduces to %d classes\n",
next_class - 1);
return classes;
}
@ -707,18 +708,17 @@ void dump_equivalence_classes(ostream& os, map<uchar, uchar>& eq)
map<uchar, Chars> rev;
for (map<uchar, uchar>::iterator i = eq.begin(); i != eq.end(); i++) {
Chars& chars = rev.insert(make_pair(i->second,
Chars())).first->second;
Chars &chars = rev.insert(make_pair(i->second, Chars())).first->second;
chars.insert(i->first);
}
os << "(eq):" << endl;
os << "(eq):" << "\n";
for (map<uchar, Chars>::iterator i = rev.begin(); i != rev.end(); i++) {
os << (int)i->first << ':';
Chars &chars = i->second;
for (Chars::iterator j = chars.begin(); j != chars.end(); j++) {
os << ' ' << *j;
}
os << endl;
os << "\n";
}
}
@ -736,7 +736,8 @@ void DFA::apply_equivalence_classes(map<uchar, uchar>& eq)
map<uchar, State *> tmp;
tmp.swap((*i)->cases.cases);
for (Cases::iterator j = tmp.begin(); j != tmp.end(); j++)
(*i)->cases.cases.insert(make_pair(eq[j->first], j->second));
(*i)->cases.cases.
insert(make_pair(eq[j->first], j->second));
}
}
@ -753,13 +754,11 @@ map<ImportantNode *, AcceptNodes> dominance(DFA& dfa)
set1.insert(accept);
}
for (AcceptNodes::iterator j = set1.begin(); j != set1.end(); j++) {
pair<map<ImportantNode *, AcceptNodes>::iterator, bool> x =
is_dominated.insert(make_pair(*j, set1));
pair<map<ImportantNode *, AcceptNodes>::iterator, bool> x = is_dominated.insert(make_pair(*j, set1));
if (!x.second) {
AcceptNodes & set2(x.first->second), set3;
for (AcceptNodes::iterator l = set2.begin();
l != set2.end();
l++) {
l != set2.end(); l++) {
if (set1.find(*l) != set1.end())
set3.insert(*l);
}
@ -771,7 +770,6 @@ map<ImportantNode *, AcceptNodes> dominance(DFA& dfa)
}
#endif
static inline int diff_qualifiers(uint32_t perm1, uint32_t perm2)
{
return ((perm1 & AA_EXEC_TYPE) && (perm2 & AA_EXEC_TYPE) &&
@ -785,8 +783,8 @@ static inline int diff_qualifiers(uint32_t perm1, uint32_t perm2)
*/
uint32_t accept_perms(NodeSet *state, uint32_t *audit_ctl, int *error)
{
uint32_t perms = 0, exact_match_perms = 0, audit = 0, exact_audit = 0,
quiet = 0, deny = 0;
uint32_t perms = 0, exact_match_perms = 0;
uint32_t audit = 0, exact_audit = 0, quiet = 0, deny = 0;
if (error)
*error = 0;
@ -805,7 +803,8 @@ uint32_t accept_perms(NodeSet *state, uint32_t *audit_ctl, int *error)
deny |= match->flag;
quiet |= match->audit;
} else {
if (!is_merged_x_consistent(perms, match->flag) && error)
if (!is_merged_x_consistent(perms, match->flag)
&& error)
*error = 1;
perms |= match->flag;
audit |= match->audit;
@ -815,8 +814,7 @@ uint32_t accept_perms(NodeSet *state, uint32_t *audit_ctl, int *error)
//if (audit || quiet)
//fprintf(stderr, "perms: 0x%x, audit: 0x%x exact: 0x%x eaud: 0x%x deny: 0x%x quiet: 0x%x\n", perms, audit, exact_match_perms, exact_audit, deny, quiet);
perms |= exact_match_perms &
~(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE);
perms |= exact_match_perms & ~(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE);
if (exact_match_perms & AA_USER_EXEC_TYPE) {
perms = (exact_match_perms & AA_USER_EXEC_TYPE) |

10
parser/libapparmor_re/hfa.h
View File

@ -47,13 +47,13 @@ typedef struct Cases {
iterator end() { return cases.end(); }
Cases(): otherwise(0) { }
map<uchar, State *> cases;
State *otherwise;
} Cases;
typedef list<State *> Partition;
uint32_t accept_perms(NodeSet *state, uint32_t *audit_ctl, int *error);
/*
@ -113,8 +113,12 @@ typedef struct dfa_stats {
class DFA {
void dump_node_to_dfa(void);
State* add_new_state(NodeMap &nodemap, pair <unsigned long, NodeSet *> index, NodeSet *nodes, dfa_stats_t &stats);
void update_state_transitions(NodeMap &nodemap, list <State *> &work_queue, State *state, dfa_stats_t &stats);
State *add_new_state(NodeMap &nodemap,
pair<unsigned long, NodeSet *> index,
NodeSet *nodes, dfa_stats_t &stats);
void update_state_transitions(NodeMap &nodemap,
list<State *> &work_queue,
State *state, dfa_stats_t &stats);
State *find_target_state(NodeMap &nodemap, list<State *> &work_queue,
NodeSet *nodes, dfa_stats_t &stats);
public: