From 1fa45b7c1f8d3e744808ad2eef52110f94987092 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 9 May 2024 20:00:41 -0700
Subject: [PATCH] parser: dfa minimization prepare for extended permissions

Instead of compressing the permission set into 128 bit and using that
as the index in the permission map, just use the permissions directly
as the index into the permission map.

Note: this will break equality and minimization tests. Because deny
is not being cleared it will result in more partitions in the initial
setup. This will be addressed and the tests will be fixed in a follow
on patch.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/libapparmor_re/hfa.cc | 12 ++++--------
 parser/libapparmor_re/hfa.h  |  2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc
index 16dffe4e1..affd68e70 100644
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -647,12 +647,11 @@ int DFA::apply_and_clear_deny(void)
 }
 
 
-typedef pair<uint64_t,uint64_t> uint128_t;
 
 /* minimize the number of dfa states */
 void DFA::minimize(optflags const &opts)
 {
-	map<uint128_t, Partition *> perm_map;
+	map<perms_t, Partition *> perm_map;
 	list<Partition *> partitions;
 
 	/* Set up the initial partitions
@@ -661,17 +660,14 @@ void DFA::minimize(optflags const &opts)
 	int accept_count = 0;
 	int final_accept = 0;
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
-		uint128_t group;
-		group.first = ((uint64_t) (PACK_AUDIT_CTL((*i)->perms.audit, (*i)->perms.quiet & (*i)->perms.deny)) << 32);
-		group.second = (uint64_t) (*i)->perms.allow | ((uint64_t) (*i)->perms.prompt << 32);
-		map<uint128_t, Partition *>::iterator p = perm_map.find(group);
+		map<perms_t, Partition *>::iterator p = perm_map.find((*i)->perms);
 		if (p == perm_map.end()) {
 			Partition *part = new Partition();
 			part->push_back(*i);
-			perm_map.insert(make_pair(group, part));
+			perm_map.insert(make_pair((*i)->perms, part));
 			partitions.push_back(part);
 			(*i)->partition = part;
-			if (group.first || group.second)
+			if ((*i)->perms.is_accept())
 				accept_count++;
 		} else {
 			(*i)->partition = p->second;
diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h
index 1aa599266..56dd45ebf 100644
--- a/parser/libapparmor_re/hfa.h
+++ b/parser/libapparmor_re/hfa.h
@@ -53,7 +53,7 @@ class perms_t {
 public:
 	perms_t(void): allow(0), deny(0), audit(0), quiet(0), exact(0) { };
 
-	bool is_accept(void) { return (allow | prompt | audit | quiet); }
+	bool is_accept(void) { return (allow | deny | prompt | audit | quiet); }
 
 	void dump_header(ostream &os)
 	{