mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
22855508e8
Differential state compression encodes a state's transitions as the difference between the state and its default state (the state it is relative too). This reduces the number of transitions that need to be stored in the transition table, hence reducing the size of the dfa. There is a trade off in that a single input character may have to traverse more than one state. This is somewhat offset by reduced table sizes providing better locality and caching properties. With carefully encoding we can still make constant match time guarentees. This patch guarentees that a state that is differentially encoded will do at most 3m state traversal to match an input of length m (as opposed to a non-differentially compressed dfa doing exactly m state traversals). In practice the actually number of extra traversals is less than this becaus we selectively choose which states are differentially encoded. In addition to reducing the size of the dfa by reducing the number of transitions that have to be stored. Differential encoding reduces the number of transitions that need to be considered by comb compression, which can result in tighter packing, due to a reduction in sparseness, and also reduces the time spent in comb compression which currently uses an O(n^2) algorithm. Differential encoding will always result in a DFA that is smaller or equal in size to the encoded DFA, and will usually improve compilation times, with the performance improvements increasing as the DFA gets larger. Eg. Given a example DFA that created 8991 states after minimization. * If only comb compression (current default) is used 52057 transitions are packed into a table of 69591 entries. Achieving an efficiency of about 75% (an average of about 7.74 table entries per state). With a resulting compressed dfa16 size of 404238 bytes and a run time for the dfa compilation of real 0m9.037s user 0m8.893s sys 0m0.036s * If differential encoding + comb compression is used, 8292 of the 8991 states are differentially encoded, with 31557 trans removed. Resulting in 20500 transitions are packed into a table of 20675 entries. Acheiving an efficiency of about 99.2% (an average of about 2.3 table entries per state With a resulting compressed dfa16 size of 207874 bytes (about 48.6% reduction) and a run time for the dfa compilation of real 0m5.416s (about 40% faster) user 0m5.280s sys 0m0.040s Repeating with a larger DFA that has 17033 states after minimization. * If only comb compression (current default) is used 102992 transitions are packed into a table of 137987 entries. Achieving an efficiency of about 75% (an average of about 8.10 entries per state). With a resultant compressed dfa16 size of 790410 bytes and a run time for d compilation of real 0m28.153s user 0m27.634s sys 0m0.120s * with differential encoding 39374 transition are packed into a table of 39594 entries. Achieving an efficiency of about 99.4% (an average of about 2.32 entries per state). With a resultant compressed dfa16 size of 396838 bytes (about 50% reduction and a run time for dfa compilation of real 0m11.804s (about 58% faster) user 0m11.657s sys 0m0.084s Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> |
||
|---|---|---|
| .. | ||
| libapparmor_re | ||
| po | ||
| tst | ||
| apparmor-parser.spec.in | ||
| apparmor.d.pod | ||
| apparmor.pod | ||
| apparmor_parser.pod | ||
| COPYING.GPL | ||
| dbus.c | ||
| dbus.h | ||
| frob_slack_rc | ||
| immunix.h | ||
| lib.c | ||
| lib.h | ||
| Makefile | ||
| mount.c | ||
| mount.h | ||
| parser.conf | ||
| parser.h | ||
| parser_alias.c | ||
| parser_common.c | ||
| parser_include.c | ||
| parser_include.h | ||
| parser_interface.c | ||
| parser_lex.l | ||
| parser_main.c | ||
| parser_merge.c | ||
| parser_misc.c | ||
| parser_policy.c | ||
| parser_regex.c | ||
| parser_symtab.c | ||
| parser_variable.c | ||
| parser_yacc.y | ||
| policydb.h | ||
| profile.cc | ||
| profile.h | ||
| rc.aaeventd.redhat | ||
| rc.aaeventd.suse | ||
| rc.apparmor.debian | ||
| rc.apparmor.functions | ||
| rc.apparmor.redhat | ||
| rc.apparmor.slackware | ||
| rc.apparmor.suse | ||
| README | ||
| README.devel | ||
| subdomain.conf | ||
| subdomain.conf.pod | ||
| techdoc.tex | ||
| unit_test.h | ||
The apparmor_parser allows you to add, replace, and remove AppArmor policy through the use of command line options. The default is to add. `apparmor_parser --help` shows what the command line options are. You can also find more information at http://wiki.apparmor.net Please send all complaints, feature requests, rants about the software, and questions to the apparmor@lists.ubuntu.com mailing list. Bug reports can be filed against the AppArmor project on launchpad.net at https://launchpad.net/apparmor or reported to the mailing list directly for those who wish not to register for an account on launchpad. Security issues can be filed as security bugs on launchpad or directed to security@ubuntu.com. We will attempt to conform to the RFP vulnerability disclosure protocol: http://www.wiretrip.net/rfp/policy.html Thanks. -- The AppArmor development team