parser: fix 16 bit state limitation

The hfa stores next/check transitions in 16 bit fields to reduce memory usage. However this means the state machine can on contain 2^16 states. Allow the next/check tables to be 32 bit. This theoretically could allow for 2^32 states however the base table uses the top 8 bits as flags giving us only 2^24 bits to index into the next/check tables. With most states having at least 1 transition this effectively caps the number of states at 2^24. To obtain 2^32 possible states a flags table needs to be added. Add a skeleton around supporting a flags table, so we can note the remaining work that needs to be done. This patch will only allow for 2^24 states. Bug: https://gitlab.com/apparmor/apparmor/-/issues/419 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-30 22:05:27 +00:00 · 2024-08-14 08:57:08 -07:00
parent 22e1863e20
commit f86fda02f5
9 changed files with 109 additions and 38 deletions
--- a/parser/parser_common.c
+++ b/parser/parser_common.c
@@ -91,6 +91,8 @@ int kernel_supports_promptdev = 0;	/* prompt via audit perms */
 int kernel_supports_permstable32 = 0;	/* extended permissions */
 int kernel_supports_permstable32_v1 = 0;	/* extended permissions */
 int prompt_compat_mode = PROMPT_COMPAT_UNKNOWN;
+int kernel_supports_state32 = 0;	/* 32 bit state table entries */
+int kernel_supports_flags_table = 0;	/* state flags stored in table */
 int conf_verbose = 0;
 int conf_quiet = 0;
 int names_only = 0;