apparmor

mirrors/apparmor

Fork 0

mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00

Commit graph

Author	SHA1	Message	Date
John Johansen	59c0bb0f46	Fix minimize.sh test to screen out more parser error messages by grepping closer to the expected -O dfa-states output	2012-03-09 06:48:03 -08:00
John Johansen	fae11e12cf	Mark the minimize test as executable	2012-03-09 05:54:54 -08:00
John Johansen	5e361a4a05	Fix dfa minimization to deal with exec conflicts Minimization was failing because it was too agressive. It was minimizing as if there was only 1 accept condition. This allowed it to remove more states but at the cost of loosing unique permission sets, they where being combined into single commulative perms. This means that audit, deny, xtrans, ... info on one path would be applied to all other paths that it was combined with during minimization. This means that we need to retain the unique accept states, not allowing them to be combined into a single state. To do this we put each unique permission set into its own partition at the start of minimization. The states within a partition have the same permissions and can be combined within the other states in the partition as the loss of unique path information is will not result in a conflict. This is similar to what perm hashing used to do but deny information is still being correctly applied and carried. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-09 04:20:19 -08:00

Author

SHA1

Message

Date

John Johansen

59c0bb0f46

Fix minimize.sh test to screen out more parser error messages by grepping

closer to the expected -O dfa-states output

2012-03-09 06:48:03 -08:00

John Johansen

fae11e12cf

Mark the minimize test as executable

2012-03-09 05:54:54 -08:00

John Johansen

5e361a4a05

Fix dfa minimization to deal with exec conflicts

Minimization was failing because it was too agressive.  It was minimizing
as if there was only 1 accept condition.  This allowed it to remove more
states but at the cost of loosing unique permission sets, they where
being combined into single commulative perms.  This means that audit,
deny, xtrans, ... info on one path would be applied to all other paths
that it was combined with during minimization.

This means that we need to retain the unique accept states, not allowing
them to be combined into a single state.  To do this we put each unique
permission set into its own partition at the start of minimization.

The states within a partition have the  same permissions and can be combined
within the other states in the partition as the loss of unique path
information is will not result in a conflict.

This is similar to what perm hashing used to do but deny information is
still being correctly applied and carried.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

2012-03-09 04:20:19 -08:00

3 commits