2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 13:28:19 +00:00

1892 Commits

Author SHA1 Message Date
Jamie Strandboge
77b864527a changehat/mod_apparmor/mod_apparmor.pod: make several clarifications and
add a summary for the order of operations
2010-12-20 13:45:56 -06:00
Jamie Strandboge
e5f4aa4140 parser/apparmor.d.pod: more fully document child profiles, including:
- cx and Cx
  - change_profile()
2010-12-20 13:40:59 -06:00
Jamie Strandboge
289dcfb492 add [^] 2010-12-20 12:50:53 -06:00
Jamie Strandboge
79828d1f10 LP: #349049: document audit, deny and owner rule qualifiers 2010-12-20 12:48:26 -06:00
Jamie Strandboge
7296af3f39 mod_apparmor.pod: adjust for Canonical, launchpad and Ubuntu binaries and tools 2010-12-20 08:35:00 -06:00
Jamie Strandboge
2ade2782d4 parser/apparmor.d.pod: clarify alias rules 2010-12-20 08:34:12 -06:00
John Johansen
34c78d34b1 Combine hat and local profile parsing into the same base rule as profile
parsing.
2010-12-13 16:29:16 -08:00
John Johansen
7c1f5fd932 Merge profile and :namespace:profile parsing into a single rule.
clean up profile parsing by merging profile and :namespace:profile parsing
into a single rule.

This also fixes a bug where the profile	keyword was not allowed to proceed
profiles with a namespace declaration.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
2010-12-13 16:26:38 -08:00
Steve Beattie
810f54ffdd Bug: https://bugzilla.novell.com/show_bug.cgi?id=510740
Short summary: Unloading of profiles with a space in the name fails,
therefore "rcapparmor stop" (or restart) causes a funny message - and
the profile is still loaded.

Thanks to Christian Boltz <apparmor@cboltz.de>
2010-11-29 13:40:45 -08:00
Steve Beattie
8740fd517d This patch fixes the parser's lexer to not passthrough other invalid
characters in variable declarations. It also adds testcases
demonstrating the issue.
2010-11-19 02:27:33 -08:00
Steve Beattie
7ef28d9fdc This patch fixes the parser to return an error when variable declaration
statements contain trailing commas, instead of passing them through to
STDOUT. It also adds parser testcases demonstrating the issue.
2010-11-19 01:42:04 -08:00
Steve Beattie
83c4a5132e This minor patch updates the compilation dependencies for bits of the
parser that interact with the regex DFA generation library, and thus
need to be recompiled when the header file changes.

(This patch isn't particularly of interest to distros, as they
typically won't be doing incremental compilation.)
2010-11-12 13:38:21 -08:00
John Johansen
85c133cd84 Rework the code so that update for nodes is now a function
The other changes have made it so that using a macro really isn't justified
so rework the code to get rid of the hiddeous update_for_nodes macro.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:20:32 -08:00
John Johansen
d551a1a9ab Make the work_queue be a work_queue of states that need finished computing
With the addition of the nodes field to the state we can make the work
queue, be based off of the state instead of the node, and avoid doing
the node to map lookup to get back to the state.

This means that the NodeMap is now only used for duplicate elimination.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:19:47 -08:00
John Johansen
e87e45c0a2 Factor updating the state transitions into its own fn
Factoring the updating of the state transitions doesn't save on any code
but it provides a nice logical seperation and makes the dfa work_queue
loop and the updating of the state transitions easier to understand as
units.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:18:48 -08:00
John Johansen
72aa490e49 Factor adding a new state to the dfa the map into its own function
Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:16:38 -08:00
John Johansen
35d55fce81 Move state label, nodes, and permission setting into the State constructor
Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:14:12 -08:00
John Johansen
5578299445 Group dfa stats into a single structure.
Move the dfa stats into a structure to provide a single access point to
them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:12:50 -08:00
John Johansen
99a7991664 Rename the match_count variable to duplicates
The match_count variable is a sum of the number of duplicates node sets
that have been encountered and discarded.  Rename it to better reflect what
it is doing.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:09:05 -08:00
John Johansen
15567a55dc Embedded the temporary computed nodes as part of the state
Embedding the nodes are part of the state gives fast back reference from
the state to the nodes that created it.  This is useful for the state to
nodes mapping dump as it lets us output the states in order.  It will also
let us avoid certain nodemap lookup in the future.

Overlay the nodes field (used only in dfa construction) with the partition
field which is only used during dfa minimization to avoid making the state
any larger.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:08:02 -08:00
John Johansen
5b68e0f7c4 Fix comment about what state information is being dumped
Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-11-11 16:06:52 -08:00
Kees Cook
eaa6a3c297 This cleans up a number of warnings that appeared after the parser rework
commits were made (as well as a few other minor warnings elsewhere).

The Makefile change is to avoid passing -Wstrict-prototypes and
-Wnested-externs to the C++ compiler, which the compiler yells about and
then ignores.

Since we compile with -Wmissing-field-initializers I dropped the
unreferenced zero-width fields in the header structs, and then explicitly
initialized the remaining fields.

I tagged several unused function parameters to silence those warnings.

And finally, I dropped the unused filter_escapes() too.
2010-11-09 13:39:18 -08:00
John Johansen
d53bb7f811 Embedded the State to partition mapping into the State.
Embedding the the partition mapping into the State structure significantly
speeds up dfa minimization, by converting rbtree finds to straight direct
references when checking for same mappings.

The overall time improvement is small but it can half the time spent in
minimization.
2010-11-09 11:57:43 -08:00
John Johansen
29c6f7e3ac Re-enable the ability to invoke remove-unreachable-states.
Now that removing unreachable states is not on by default re-enable the
ability to turn it on.
2010-11-09 11:56:58 -08:00
John Johansen
14e7d94701 Add ability to dump unique permission sets 2010-11-09 11:56:28 -08:00
John Johansen
318351376c Add the ability to dump NodeSet to dfa state mapping 2010-11-09 11:55:40 -08:00
John Johansen
af8b3b84ef Use nodemap.size() to label state node
The nodemap.size() increases by one with each node added, every time we
add a state we label it so this provides the proper labeling without needing
a separate variable.
2010-11-09 11:55:05 -08:00
John Johansen
b64921a5ec Add tracking of the node set (proto state) max, and average size 2010-11-09 11:54:20 -08:00
John Johansen
f1a3f66515 Add -D stats and -D progress options
add short options to turn on all stats, and all progress indicators,
also allow adding "no-" prefix to dump options to allow subtracting
individual options when short options are used.

eg.
  -D stats -D no-expr-simplify
2010-11-09 11:53:38 -08:00
John Johansen
6b4dff4bee Move -O and -D options and documentation into tables
Move the -O and -D options into tables, that keep the option and its
description.  This will help keep the options consistent and the description
up to date, as all information is now in one place.

Previously the options, and descriptions kept getting out of sync as all
relavent parts were spread out.
2010-11-09 11:52:38 -08:00
John Johansen
de2dec2bec Reduce the number of -O flag options by factoring our no- prefix
Factor out the "no-" prefix so that optimization flags and their no-
counter parts are handled by the same code.
2010-11-09 11:50:13 -08:00
John Johansen
fae7cac15c Rename trans-XXXX transition to compress- compression
trans- isn't a very good name for this phase of compilation.  It is the
compression phase, rename to trans- to compress- to reflect this.
2010-11-09 11:49:18 -08:00
John Johansen
8972e4f577 Generic cleanup pass of -D and -O options 2010-11-09 11:48:53 -08:00
John Johansen
0ad84d93f9 Factor out expr tree rotation into its own function 2010-11-09 11:48:29 -08:00
John Johansen
ac9553de19 Rework tests against Epsnodes to compare to the singleton
Dynamic casts are slower than plain comparisons so rework epsnode comparison
to use comparisons to the singleton epsnode instead of dynamic_casts.
2010-11-09 11:47:37 -08:00
John Johansen
6801346b81 Add cnode class as a base class of all expr nodes that contain character info 2010-11-09 11:46:05 -08:00
John Johansen
04d6c727e1 Add a leafnode class to clearly indicate what node types are leaf nodes 2010-11-09 11:44:26 -08:00
John Johansen
aec77cecde Move nodes around to put one child node together and two child nodes together 2010-11-09 11:38:20 -08:00
John Johansen
0f26d8f097 Further split up innernode, to be able to better identify the types of
inner nodes.

This is part of a serious of patches to cleanup expr nodes, by separating
out functionality and reducing the number of dynamic casts.
2010-11-09 11:36:14 -08:00
John Johansen
cb2ebc3102 Rework the depth first traversal of expr trees, to remove the use of the
unneeded visited table, and give a little speed up and cleanup.
2010-11-09 11:35:38 -08:00
John Johansen
d2581332db This is part of a serious of patches to cleanup expr nodes, by separating
out functionality and reducing the number of dynamic casts.
2010-11-09 11:34:59 -08:00
John Johansen
adb0973d61 Update Makefile to pass CFLAGS into libapparmor_re 2010-11-09 11:33:40 -08:00
John Johansen
7f987f93d1 As from a library pov they should be seperately callable fns, and this will
help reduce peak memory usage in some cases.

Also disbale remove_unreachable, as the current dfa code isn't generating
unreachable states, and minimization removes any states that are connected
but redundant.
2010-11-09 11:28:56 -08:00
John Johansen
c5fa0e98b3 Reference counting of Nodes exists to shared the special accept nodes that
hold permission information.  We currently keep them in a table with a
refcount so that they don't go away, until we delete the table.

We can simulate this by getting rid of the refcount, and making dup and release
virtual, and overriding it for the special accept nodes.
2010-11-09 11:28:22 -08:00
John Johansen
a84844cea5 Do not use permission hashing for minimization by default. While this
improves minimization performance, it can slow down total creation time and
result in larger compressed dfas.

This is because it results in the dfa not being completely minimized which
with the current O(n2) dfa table compression algorithm can result in slower
compressed dfa generation.
2010-11-09 11:27:36 -08:00
John Johansen
51f443c7b6 Update state progress/stats output to dump the number of accepting
states/partitions occur in the minimized dfa.
2010-11-09 11:26:50 -08:00
John Johansen
c2601dbd30 Cleanup the perm_map as soon as it is no longer needed. Cleaning up the map
before the end of the functions reduces the peak memory of the function
2010-11-09 11:26:18 -08:00
John Johansen
2fb64fa85e When hashing Nodes ensure that cases.otherwise == NULL is treated the same
as pointing to the nonmatching state.  Having this mix shouldn't currently
exist but adding the extra check makes the code more robust.
2010-11-09 11:25:44 -08:00
John Johansen
4e80416a4f Do permission accumulation in dfa minimization. This is necessary if accept
states with different permissions are to ever share a partition.
2010-11-09 11:24:51 -08:00
John Johansen
a949b075b4 The dfa flags currently are a weird mix of position and negative assertions.
Its cleaner just to have them all assert one way and let the cmd line
options apply them correctly.
2010-11-09 11:23:45 -08:00