Reworking this code is a step to getting rid of the SUB_NAME2 start
condition.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Change how we handle the parsing of the hat and profile keywords this allows
us to get rid of the SUB_NAME2 start condition because the the whitespace
that is allowed by these rules are now consumed by matching the keyword
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
There is a lot of duplication of code calling processqunquoted and
processquoted. Move all this code to use the new processid fn.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
This is the first step in reducing the number of shared rules between the
different start conditions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
The affected comment rule is already in the INITIAL start condition
so BEGIN(INITIAL) is extraneous and will cause problems when switching
to a stack of start conditions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
The rlimit start condition was separating different rules of the base
set making the lexer grammer harder to read than necessary.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
The module interface calls for names with namespaces to be in the format of
:namespace:profile or :namespace://profile
but the parser was generating
namespace:profile
causing profile lookup to fail, or removal of the wrong profile as it was
done against the current namespace, instead of the specified namespace
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
The module interface calls for names with namespaces to be in the format of
:namespace:profile or :namespace://profile
but the parser was generating
namespace:profile
causing profile lookup to fail, or removal of the wrong profile as it was
done against the current namespace, instead of the specified namespace
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
instead of a NodeSet.
We need to store sets of Nodes, to compute the dfa but the C++ set is
not the most efficient way to do this as, it has a has a lot of overhead
just to store a single pointer.
Instead we can use an array of tightly packed pointers + a some header
information. We can do this because once the Set is finalized it will
not change, we just need to be able to reference and compare to it.
We don't use C++ Vectors as they have more overhead than a plain array
and we don't need their additional functionality.
We only replace the use of hashedNodeSets for non-accepting states as
these sets are only used in the dfa construction, and dominate the memory
usage. The accepting states still may need to be modified during
minimization and there are only a small number of entries (20-30), so
it does not make sense to convert them.
Also introduce a NodeVec cache that serves the same purpose as the NodeSet
cache that was introduced earlier.
This is not abstracted this out as nicely as might be desired but avoiding
the use of a custom iterator and directly iterating on the Node array
allows for a small performance gain, on larger sets.
This patch reduces the amount of heap memory used by dfa creation by about
4x - overhead. So for small dfas the savings is only 2-3x but on larger
dfas the savings become more and more pronounced.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
non-accepting, and have the proto-state use them.
To reduce memory overhead each set gains its own "cache" that make sure
there is only a single instance of each NodeSet generated. And since
we have a cache abstraction, move relavent stats into it.
Also refactor code slightly to make caches and work_queue etc, DFA member
variables instead of passing them as parameters.
The split + caching results in a small reduction in memory use as the
cost of ProtoState + Caching is less than the redundancy that is eliminated.
However this results in a small decrease in performance.
Sorry I know this really should have been split into multiple patches
but the patch evolved and I got lazy and decided to just not bother
splitting it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
It is the functional equivalent of ProtoState. We do this to provide a
new level of abstraction that ProtoState can leverage, when the node types
are split.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Create a new ProtoState class that will encapsulate the split, but for
this patch it will just contain what was done previously with NodeSet
Signed-off-by: John Johansen <john.johansen@canonical.com>
is done to be clear what TransitionTable is, as we will then add matching
capabilities. Renaming the files is just to make them consistent with
the class in the file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
entries where the comm entry has been hex-encoded. This occurs when the
binary being confined contains a space or other problematic character in
its filename. A test case is included.
This commit upgrades the COPYING.GPL file to the latest version from
http://www.gnu.org/licenses/gpl-2.0.txt - which means some small text
and whitespace changes and of course the correct address.
Acked-by: John Johansen <john.johansen@canonical.com>
When executing apparmor_status from rc functions and utils are not installed, this message is received:
AppArmor is enabled,
Install the apparmor-utils package to receive more detailed
status information here (or examine directly).
Signed-off-by: John Johansen <john.johansen@canonical.com>
parser/Makefile has a number of issues.
* Some warnings are produced: "make[1]: warning: jobserver unavailable: using -j1. Add `+' to parent make rule."
* CXX is not always respected
* LDFLAGS are not always respected
modified to apply and retain $(Q) by John Johansen
Signed-off-by: John Johansen <john.johansen@canoncial.com>
When running installing apparmor-utils from Makefile, some warnings are
generated: make[1]: warning: jobserver unavailable: using -j1. Add
`+' to parent make rule.
Use $(MAKE) instead of make
Signed-off-by: John Johansen <john.johansen@canonical.com>
Original openSUSE changelog entry:
Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
- Splitted ldap related things from nameservice into separate
profile and added some missing paths (bnc#662761)
If $DISPLAY is not set and --display is not used, aa-notify prints a
warning that notifications won't be shown (exact warning text depends if
using sudo or not).
Acked-by: John Johansen <john.johansen@canonical.com>
