mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: fix minimization check for filtering_deny

Browse source 
commit 1fa45b7c1 ("parser: dfa minimization prepare for extended
permissions") removed implicit filtering of explicit denies in the
minimization pass (the information was ignored in building the set of
final accept states).

The filtering of explicit denies reduces the size of the produced
dfa. Since we need to be smarter about when explicit denies are
kept (eg. during complain mode), and most dfas are limited to 65k
states we currently need to filter explicit deny perms by default.

To compensate commit 2737cb2c2 ("parser: minimization - remove
unnecessary second minimization pass") moved the
apply_and_clear_deny() to before minimization. However its check to
apply removal denials before minimization is broken. Remove minimization
triggering apply_and_clear_deny() and just set the FILTER_DENY flag
by default, until we have better selection of rules/conditions where
explicit deny information should be carried through to the backend.

Fixes: 2737cb2c2 ("parser: minimization - remove unnecessary second minimization pass")
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2024-10-24 20:28:52 -07:00
parent 8d6270e1fe
commit 179c1c1ba7
2 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
parser/libapparmor_re/aare_rules.cc
View file

@ -265,11 +265,7 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
* information supported by the backed * information supported by the backed
*/ */
if (!extended_perms || if (!extended_perms ||
// TODO: we should drop DFA_MINIMIZE check here but doing ((opts.control & CONTROL_DFA_FILTER_DENY)))
// so changes behavior. Do as a separate patch and fixup
// tests, etc.
((opts.control & CONTROL_DFA_FILTER_DENY) &&
(opts.control & CONTROL_DFA_MINIMIZE)))
dfa.apply_and_clear_deny(); dfa.apply_and_clear_deny();
if (opts.control & CONTROL_DFA_MINIMIZE) { if (opts.control & CONTROL_DFA_MINIMIZE) {

7
parser/parser_common.c
View file

@ -110,7 +110,12 @@ FILE *ofile = NULL;
IncludeCache_t *g_includecache; IncludeCache_t *g_includecache;
optflags parseopts = { optflags parseopts = {
.control = (optflags_t)(CONTROL_DFA_TREE_NORMAL | CONTROL_DFA_TREE_SIMPLE | CONTROL_DFA_MINIMIZE | CONTROL_DFA_DIFF_ENCODE | CONTROL_RULE_MERGE), .control = (optflags_t)(CONTROL_DFA_TREE_NORMAL | CONTROL_DFA_TREE_SIMPLE | CONTROL_DFA_MINIMIZE | CONTROL_DFA_DIFF_ENCODE | CONTROL_RULE_MERGE |
/* TODO: remove when we have better auto
* selection on when/which explicit denies
* to remove
*/
CONTROL_DFA_FILTER_DENY),
.dump = 0, .dump = 0,
.warn = DEFAULT_WARNINGS, .warn = DEFAULT_WARNINGS,
.Werror = 0 .Werror = 0