* move network families to filter out into a separate variable to
so that the list doesn't get lost in a complex sed invocation
* pull out the actual macro definitions from linux/socket.h and use
them if glibc's sys/socket.h (really bit/socket.h) hasn't caught up
with the family definitions.
- fix "Namespcae" tyop
- get rid of sub_name and default_deny from the main profile struct as
they haven't been used for a long time; also eliminates their output
from the debugging output.
- emit dumped parsing structure with only one -d, users were confuzzled
and it was not documented that you needed to use -dd to get it to
output anything if DEBUG wasn't set when compiling.
doesn't work. Making the parser match the documentation, though either
form should still work.
(Based on a secondary element of https://bugs.launchpad.net/bugs/341205)
Change the globbing conversion to include [^\x00]. This reduces cases of
artifical overlap between globbing rules, and link rules. Link rules
are encoded to use a \0 char to seperate the 2 match parts of the rule.
Before this fix a glob * or ** could match against the \0 seperator
resulting the generation of dfa states for that overlap. This of course
can never happen as \0 is not a valid path name character.
In one example stress policy when adding the rule
owner /** rwl,
this change made the difference between having a dfa with 55152 states
and one with 30019
- disable charter, charset merging. This can actually hamper optimization
in some cases and needs special cases added to the factoring code.
The charset code is merged off into its own routines that can be
reenabled at a later time.
- fix a couple bugs in tree simplifications that would cause earlier
exit before the tree had even reached a local minima
I particular the t != c portion of the simplify_tree, would cause
the loop to exit early if it didn't change but other modifications
had been made.
- remove the extra epsnode that was getting added to the created tree
- optimize the forward factor alt loop so that it will find all left
factor matches down the alt subtree without having to loop and recompare
against nodes that were already checked
These changes result in small improvements in most cases, but in some
policies the changes result in very large wins. The early bailout of
optimizations was causing 2.5* as many dfa states in one particular
stress test policy.
been made but only from the top level. This allows us to get the
optimizations that were missed, while not causing the massive recursive call
explosion we had before.
Description: fix compile on build
Patch from Gentoo community:
- fix up a couple of missing semicolons in syntax (bison compensates
by emitting it's own)
- Fix yet another variable tyop in rc.apparmor.functions
- dump stderr of ls in rc.apparmor.functions to /dev/null
- add an install-unknown make target
alias rules and variable declarations within the preamble of a profile.
This commit adds another testcase for alias rules; one in which there is
an overlapping pair of aliases. The parser parses it, but based on -dd
output, I don't believe it's treating it properly.
Apply tree factoring and simplification techniques to reduce the number of
states used in computing the dfa. This can have an exponential impact
on both space and time for dfa generation.
