apparmor/parser/libapparmor_re/aare_rules.h

/*
 * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
 * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
 * Copyright 2009-2012 Canonical Ltd.
 *
 * The libapparmor library is licensed under the terms of the GNU
 * Lesser General Public License, version 2.1. Please see the file
 * COPYING.LGPL.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 *
 * Wrapper around the dfa to convert aa rules into a dfa
 */
#ifndef __LIBAA_RE_RULES_H
#define __LIBAA_RE_RULES_H

#include <stdint.h>

#include "apparmor_re.h"
#include "expr-tree.h"

class UniquePerm {
public:
	bool deny;
	bool exact_match;
	uint32_t perms;
	uint32_t audit;

	bool operator<(UniquePerm const &rhs)const
	{
		if (deny == rhs.deny) {
			if (exact_match == rhs.exact_match) {
				if (perms == rhs.perms)
					return audit < rhs.audit;
				return perms < rhs.perms;
			}
			return exact_match;
		}
		return deny;
	}
};

class UniquePermsCache {
public:
	typedef map<UniquePerm, Node*> UniquePermMap;
	typedef UniquePermMap::iterator iterator;
	UniquePermMap nodes;

	UniquePermsCache(void) { };
	~UniquePermsCache() { clear(); }

	void clear()
	{
		for (iterator i = nodes.begin(); i != nodes.end(); i++) {
			delete i->second;
		}
		nodes.clear();
	}

	Node *insert(bool deny, uint32_t perms, uint32_t audit,
		     bool exact_match)
	{
		UniquePerm tmp = { deny, exact_match, perms, audit };
		iterator res = nodes.find(tmp);
		if (res == nodes.end()) {
			Node *node;
			if (deny)
				node = new DenyMatchFlag(perms, audit);
			else if (exact_match)
				node = new ExactMatchFlag(perms, audit);
			else
				node = new MatchFlag(perms, audit);
			pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));
			if (val.second == false)
				return val.first->second;
			return node;
		}
		return res->second;
	}
};

typedef std::map<Node *, Node *> PermExprMap;

class aare_rules {
	Node *root;
	void add_to_rules(Node *tree, Node *perms);
	UniquePermsCache unique_perms;
	PermExprMap expr_map;
 public:
	int reverse;
	int rule_count;
	aare_rules(void): root(NULL), unique_perms(), expr_map(), reverse(0), rule_count(0) { };
	aare_rules(int reverse): root(NULL), unique_perms(), expr_map(), reverse(reverse), rule_count(0) { };
	~aare_rules();

	bool add_rule(const char *rule, int deny, uint32_t perms,
		      uint32_t audit, dfaflags_t flags);
	bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,
			  const char **rulev, dfaflags_t flags);
	void *create_dfa(size_t *size, int *min_match_len, dfaflags_t flags);
};

#endif				/* __LIBAA_RE_RULES_H */
Split out aare_rules which are used to encapsulate creating the dfa Split out the aare_rule bits that encapsulate the convertion of apparmor rules into the final compressed dfa. This patch will not compile because of the it needs hfa to export an interface but hfa is going to be split so just delay until hfa and transtable are split and they can each export their own interface. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:49:15 -07:00			`/*`
			`* (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>`
			`* Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)`
Update the copyright dates for the apparmor_parser Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-02-24 04:21:59 -08:00			`* Copyright 2009-2012 Canonical Ltd.`
Split out aare_rules which are used to encapsulate creating the dfa Split out the aare_rule bits that encapsulate the convertion of apparmor rules into the final compressed dfa. This patch will not compile because of the it needs hfa to export an interface but hfa is going to be split so just delay until hfa and transtable are split and they can each export their own interface. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:49:15 -07:00			`*`
			`* The libapparmor library is licensed under the terms of the GNU`
			`* Lesser General Public License, version 2.1. Please see the file`
			`* COPYING.LGPL.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Lesser General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Lesser General Public License`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*`
			`*`
			`* Wrapper around the dfa to convert aa rules into a dfa`
			`*/`
			`#ifndef __LIBAA_RE_RULES_H`
			`#define __LIBAA_RE_RULES_H`

Split out compressed dfa "transition table" compression Split hfa into hfa and compressed_hfa files. The hfa portion focuses on creating an manipulating hfas, while compressed_hfa is used for creating compressed hfas that can be used/reused at run time with much less memory usage than the full blown hfa. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:50:34 -07:00			`#include <stdint.h>`

			`#include "apparmor_re.h"`
Convert aare_rules into a class This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 10:57:16 -07:00			`#include "expr-tree.h"`
Split out compressed dfa "transition table" compression Split hfa into hfa and compressed_hfa files. The hfa portion focuses on creating an manipulating hfas, while compressed_hfa is used for creating compressed hfas that can be used/reused at run time with much less memory usage than the full blown hfa. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:50:34 -07:00
Move the permission map into the rule set Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2015-06-25 15:54:15 -06:00			`class UniquePerm {`
			`public:`
			`bool deny;`
			`bool exact_match;`
			`uint32_t perms;`
			`uint32_t audit;`

			`bool operator<(UniquePerm const &rhs)const`
			`{`
			`if (deny == rhs.deny) {`
			`if (exact_match == rhs.exact_match) {`
			`if (perms == rhs.perms)`
			`return audit < rhs.audit;`
			`return perms < rhs.perms;`
			`}`
			`return exact_match;`
			`}`
			`return deny;`
			`}`
			`};`

			`class UniquePermsCache {`
			`public:`
			`typedef map<UniquePerm, Node*> UniquePermMap;`
			`typedef UniquePermMap::iterator iterator;`
			`UniquePermMap nodes;`

			`UniquePermsCache(void) { };`
			`~UniquePermsCache() { clear(); }`

			`void clear()`
			`{`
			`for (iterator i = nodes.begin(); i != nodes.end(); i++) {`
			`delete i->second;`
			`}`
			`nodes.clear();`
			`}`

			`Node *insert(bool deny, uint32_t perms, uint32_t audit,`
			`bool exact_match)`
			`{`
			`UniquePerm tmp = { deny, exact_match, perms, audit };`
			`iterator res = nodes.find(tmp);`
			`if (res == nodes.end()) {`
			`Node *node;`
			`if (deny)`
			`node = new DenyMatchFlag(perms, audit);`
			`else if (exact_match)`
			`node = new ExactMatchFlag(perms, audit);`
			`else`
			`node = new MatchFlag(perms, audit);`
			`pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));`
			`if (val.second == false)`
			`return val.first->second;`
			`return node;`
			`}`
			`return res->second;`
			`}`
			`};`

Change expr tree construction so that rules are grouped by perms Currently rules are added to the expression tree in order, and then tree simplification and factoring is done. This forces simplification to "search" through the tree to find rules with the same permissions during right factoring, which dependent on ordering of factoring may not be able to group all rules of the same permissions. Instead of having tree factoring do the work to regroup rules with the same permissions, pregroup them as part of the expr tree construction. And only build the full tree when the dfa is constructed. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2015-06-25 16:38:02 -06:00			`typedef std::map<Node , Node > PermExprMap;`

Convert aare_rules into a class This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 10:57:16 -07:00			`class aare_rules {`
			`Node *root;`
parser: Refactor rule accumulation to use some helper functions Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-09-03 14:24:37 -07:00			`void add_to_rules(Node tree, Node perms);`
Move the permission map into the rule set Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2015-06-25 15:54:15 -06:00			`UniquePermsCache unique_perms;`
Change expr tree construction so that rules are grouped by perms Currently rules are added to the expression tree in order, and then tree simplification and factoring is done. This forces simplification to "search" through the tree to find rules with the same permissions during right factoring, which dependent on ordering of factoring may not be able to group all rules of the same permissions. Instead of having tree factoring do the work to regroup rules with the same permissions, pregroup them as part of the expr tree construction. And only build the full tree when the dfa is constructed. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2015-06-25 16:38:02 -06:00			`PermExprMap expr_map;`
			`public:`
Convert aare_rules into a class This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 10:57:16 -07:00			`int reverse;`
			`int rule_count;`
Change expr tree construction so that rules are grouped by perms Currently rules are added to the expression tree in order, and then tree simplification and factoring is done. This forces simplification to "search" through the tree to find rules with the same permissions during right factoring, which dependent on ordering of factoring may not be able to group all rules of the same permissions. Instead of having tree factoring do the work to regroup rules with the same permissions, pregroup them as part of the expr tree construction. And only build the full tree when the dfa is constructed. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> 2015-06-25 16:38:02 -06:00			`aare_rules(void): root(NULL), unique_perms(), expr_map(), reverse(0), rule_count(0) { };`
			`aare_rules(int reverse): root(NULL), unique_perms(), expr_map(), reverse(reverse), rule_count(0) { };`
Convert aare_rules into a class This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 10:57:16 -07:00			`~aare_rules();`
Split out aare_rules which are used to encapsulate creating the dfa Split out the aare_rule bits that encapsulate the convertion of apparmor rules into the final compressed dfa. This patch will not compile because of the it needs hfa to export an interface but hfa is going to be split so just delay until hfa and transtable are split and they can each export their own interface. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:49:15 -07:00
Convert aare_rules into a class This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 10:57:16 -07:00			`bool add_rule(const char *rule, int deny, uint32_t perms,`
			`uint32_t audit, dfaflags_t flags);`
			`bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,`
			`const char **rulev, dfaflags_t flags);`
parser: determine xmatch priority based on smallest DFA match The length of a xmatch is used to prioritize multiple profiles that match the same path, with the intent that the more specific match wins. Currently, the length of a xmatch is computed by the position of the first regex character. While trying to work around issues with no_new_privs by combining profiles, we noticed that the xmatch length computation doesn't work as expected for multiple regexs. Consider the following two profiles: profile all / { } profile bins /{,usr/,usr/local/}bin/ { } xmatch_len is currently computed as "1" for both profiles, even though "bins" is clearly more specific. When determining the length of a regex, compute the smallest possible match and use that for xmatch priority instead of the position of the first regex character. 2019-02-08 11:32:16 -08:00			`void create_dfa(size_t size, int *min_match_len, dfaflags_t flags);`
Convert aare_rules into a class This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to specify the expected features set of the test. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-04-23 10:57:16 -07:00			`};`
Split out aare_rules which are used to encapsulate creating the dfa Split out the aare_rule bits that encapsulate the convertion of apparmor rules into the final compressed dfa. This patch will not compile because of the it needs hfa to export an interface but hfa is going to be split so just delay until hfa and transtable are split and they can each export their own interface. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:49:15 -07:00
Lindent + hand cleanups aare_rules Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2011-03-13 05:53:08 -07:00			`#endif /* __LIBAA_RE_RULES_H */`