Changes the table resizing so that there is always sufficient high
entries in the table, preventing bounds violations from occurring.
Nominated-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
node themselves to reduce memory usage and make node labeling per dfa
rather than global.
Nominated-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
imediately after the current partition being considered, instead of
at the back of the parition list. This does two things, it makes it
more likely the data is in cache, and it also in general results in
more partitions being created in a single pass.
not an algorithmic improvement. It does the same basic algorithm of
test until it can insert the data, but instead of only tracking the
first free entry (and recomputing it each pass). It tracks all
free entries reducing the number of comparisons done and the table
grows in size.
This may actually result in a small loss on small tables, but is a win
for larger tables.
Update the hash calculation to guarentee that states with a different
number of transition entries will be placed in seperate partitions.
This will allow for a better character transition based state comparison.
Add basic Hopcroft based dfa minimization. It currently does a simple
straight state comparison that can be quadratic in time to split partitions.
This is offset however by using hashing to setup the initial partitions so
that the number of states within a partition are relative few.
The hashing of states for initial partition setup is linear in time. This
means the closer the initial partition set is to the final set, the closer
the algorithm is to completing in a linear time. The hashing works as
follows: For each state we know the number of transitions that are not
the default transition. For each of of these we hash the set of letters
it can transition on using a simple djb2 hash algorithm. This creates
a unique hash based on the number of transitions and the input it can
transition on. If a state does not have the same hash we know it can not
the same as another because it either has a different number of transitions
or or transitions on a different set.
To further distiguish states, the number of transitions of each transitions
target state are added into the hash. This serves to further distiguish
states as a transition to a state with a different number of transitions
can not possibly be reduced to an equivalent state.
A further distinction of states is made for accepting states in that
we know each state with a unique set of accept permissions must be in
its own partition to ensure the unique accept permissions are in the
final dfa.
The unreachable state removal is a basic walk of the dfa from the start
state marking all states that are reached. It then sweeps any state not
reached away. This does not do dead state removal where a non accepting
state gets into a loop that will never result in an accepting state.
This will allow turning on and off various debug dumps as needed.
Multiple dump options can be specified as needed by using multiple
options.
eg. apparmor_parser -D variables
apparmor_parser -D dfa-tree -D dfa-simple-tree
The help option has also been updated to take an optional argument
to display help about give parameters, currently only dump is supported.
eg. apparmor_parser -h # standard help
apparmor_parser -h=dump # dump info about --dump options
Also Enable the dfa expression tree dumps
Change the globbing conversion to include [^\x00]. This reduces cases of
artifical overlap between globbing rules, and link rules. Link rules
are encoded to use a \0 char to seperate the 2 match parts of the rule.
Before this fix a glob * or ** could match against the \0 seperator
resulting the generation of dfa states for that overlap. This of course
can never happen as \0 is not a valid path name character.
In one example stress policy when adding the rule
owner /** rwl,
this change made the difference between having a dfa with 55152 states
and one with 30019
- disable charter, charset merging. This can actually hamper optimization
in some cases and needs special cases added to the factoring code.
The charset code is merged off into its own routines that can be
reenabled at a later time.
- fix a couple bugs in tree simplifications that would cause earlier
exit before the tree had even reached a local minima
I particular the t != c portion of the simplify_tree, would cause
the loop to exit early if it didn't change but other modifications
had been made.
- remove the extra epsnode that was getting added to the created tree
- optimize the forward factor alt loop so that it will find all left
factor matches down the alt subtree without having to loop and recompare
against nodes that were already checked
These changes result in small improvements in most cases, but in some
policies the changes result in very large wins. The early bailout of
optimizations was causing 2.5* as many dfa states in one particular
stress test policy.
been made but only from the top level. This allows us to get the
optimizations that were missed, while not causing the massive recursive call
explosion we had before.
Apply tree factoring and simplification techniques to reduce the number of
states used in computing the dfa. This can have an exponential impact
on both space and time for dfa generation.
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
