thing again. Fix to use the kernel's definition of AF_MAX in
linux/socket.h if it's larger than glibc's AF_MAX definition in
sys/socket.h and add a wrapper function so that we don't have include
af_names.h everywhere.
Also, fix memory leaks around the handling of network entries of
policies.
Change_profile was broken so that it couldn't parse expressions that
weren't path based or started with a variable. Furthermore if the name
held any expressions it was not hanlded correctly, as it was being passed
directly to dfa conversion without going through glob -> pcre conversion.
* move network families to filter out into a separate variable to
so that the list doesn't get lost in a complex sed invocation
* pull out the actual macro definitions from linux/socket.h and use
them if glibc's sys/socket.h (really bit/socket.h) hasn't caught up
with the family definitions.
- fix "Namespcae" tyop
- get rid of sub_name and default_deny from the main profile struct as
they haven't been used for a long time; also eliminates their output
from the debugging output.
- emit dumped parsing structure with only one -d, users were confuzzled
and it was not documented that you needed to use -dd to get it to
output anything if DEBUG wasn't set when compiling.
doesn't work. Making the parser match the documentation, though either
form should still work.
(Based on a secondary element of https://bugs.launchpad.net/bugs/341205)
Change the globbing conversion to include [^\x00]. This reduces cases of
artifical overlap between globbing rules, and link rules. Link rules
are encoded to use a \0 char to seperate the 2 match parts of the rule.
Before this fix a glob * or ** could match against the \0 seperator
resulting the generation of dfa states for that overlap. This of course
can never happen as \0 is not a valid path name character.
In one example stress policy when adding the rule
owner /** rwl,
this change made the difference between having a dfa with 55152 states
and one with 30019
- disable charter, charset merging. This can actually hamper optimization
in some cases and needs special cases added to the factoring code.
The charset code is merged off into its own routines that can be
reenabled at a later time.
- fix a couple bugs in tree simplifications that would cause earlier
exit before the tree had even reached a local minima
I particular the t != c portion of the simplify_tree, would cause
the loop to exit early if it didn't change but other modifications
had been made.
- remove the extra epsnode that was getting added to the created tree
- optimize the forward factor alt loop so that it will find all left
factor matches down the alt subtree without having to loop and recompare
against nodes that were already checked
These changes result in small improvements in most cases, but in some
policies the changes result in very large wins. The early bailout of
optimizations was causing 2.5* as many dfa states in one particular
stress test policy.
