mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
18821b079b
instead of a NodeSet. We need to store sets of Nodes, to compute the dfa but the C++ set is not the most efficient way to do this as, it has a has a lot of overhead just to store a single pointer. Instead we can use an array of tightly packed pointers + a some header information. We can do this because once the Set is finalized it will not change, we just need to be able to reference and compare to it. We don't use C++ Vectors as they have more overhead than a plain array and we don't need their additional functionality. We only replace the use of hashedNodeSets for non-accepting states as these sets are only used in the dfa construction, and dominate the memory usage. The accepting states still may need to be modified during minimization and there are only a small number of entries (20-30), so it does not make sense to convert them. Also introduce a NodeVec cache that serves the same purpose as the NodeSet cache that was introduced earlier. This is not abstracted this out as nicely as might be desired but avoiding the use of a custom iterator and directly iterating on the Node array allows for a small performance gain, on larger sets. This patch reduces the amount of heap memory used by dfa creation by about 4x - overhead. So for small dfas the savings is only 2-3x but on larger dfas the savings become more and more pronounced. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com> |
||
|---|---|---|
| .. | ||
| libapparmor_re | ||
| po | ||
| tst | ||
| apparmor-parser.spec.in | ||
| apparmor.d.pod | ||
| apparmor.pod | ||
| apparmor.vim.pod | ||
| apparmor_parser.pod | ||
| COPYING.GPL | ||
| frob_slack_rc | ||
| immunix.h | ||
| Makefile | ||
| parser.conf | ||
| parser.h | ||
| parser_alias.c | ||
| parser_common.c | ||
| parser_include.c | ||
| parser_include.h | ||
| parser_interface.c | ||
| parser_lex.l | ||
| parser_main.c | ||
| parser_merge.c | ||
| parser_misc.c | ||
| parser_policy.c | ||
| parser_regex.c | ||
| parser_symtab.c | ||
| parser_variable.c | ||
| parser_yacc.y | ||
| rc.aaeventd.redhat | ||
| rc.aaeventd.suse | ||
| rc.apparmor.debian | ||
| rc.apparmor.functions | ||
| rc.apparmor.redhat | ||
| rc.apparmor.slackware | ||
| rc.apparmor.suse | ||
| README | ||
| subdomain.conf | ||
| subdomain.conf.pod | ||
| techdoc.tex | ||
The apparmor_parser allows you to add, replace, and remove AppArmor policy through the use of command line options. The default is to add. `apparmor_parser --help` shows what the command line options are. You can also find more information at <http://forge.novell.com/modules/xfmod/project/?apparmor>. Please send all complaints, bug reports, feature requests, rants about the software, and questions to apparmor-general@forge.novell.com. Security issues should be directed to security@suse.de or secure@novell.com, where we will attempt to conform to the RFP vulnerability disclosure protocol: http://www.wiretrip.net/rfp/policy.html Thanks. -- The AppArmor development team