mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
Steve Beattie 68a9f24fb5 parser: convert var expansion to use alternations 
This patch converts the parser's variable expansion from adding new
entries for each additional variable value to incorporating an
alternation that includes all the values for the variable; e.g. given:

  @{BINS}=/bin /usr/bin /sbin /usr/sbin
  @{BINS}/binary ix,

rather than expanding to exntries for

  /bin/binary
  /usr/bin/binary
  /sbin/binary
  /usr/sbin/binary

one entry would remain that looks like:

  {/bin,/usr/bin,/sbin,/usr/sbin}/binary

One complication with this patch is that we try to prevent mistakes for
our users with variable expansion around '/'s; it's common for people to
write profiles that contain things like:

 @{BAR}=/bingo/*/ /bango/
 /foo/@{BAR}/baz

We already have a post-processing step that walks entries looking
for multiple sequences of '/'s and filters them into single
'/' which worked when creating new entries for each variable
expansion. Converting to alternation expansion breaks this filtering,
so code is added that removes leading and trailing slashes in variable
values in the expansion if the character immediately preceding or
following the variable is also a slash.

The intent behind this is to reduce the amount of memory allocations
and structure walking that needed to occur in when converting from the
entry strings to the back end nodes. Examples with real world profiles
showed performance improvements ranging from 2.5% to 10%. However,
because the back end operations are sensitive to the front end inputs,
it is possible for worse results to occur; for example, it takes the
simple_tests/vars/vars_stress_0[123].sd tests significantly longer to
complete after this patch is applied (vars_stress_03.sd in particular
takes ~23 times longer). An initial analysis of profiling output in
this negative case looks like it causes the tree simplification in
the back end to do more work for unknown reasons.

On the other hand, the test simple_tests/vars/vars_dbus_9.sd
(introduced in "[patch 09/12] parser: more dbus variable testcases")
takes ~1 sec to complete on my laptop before this patch, and roughly
0.01s with this patch applied.

(One option would be to keep the "expand entries" approach as an
alternative, but I couldn't come up with a good heuristic for when
to use it instead.)

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2013-12-16 01:28:38 -08:00
..
libapparmor_re parser: add build option for coverage (v3) 2013-12-06 05:31:11 -08:00
po Update parser translations as discussed in yesterdays meeting 2013-11-14 10:20:43 -08:00
tst parser: remove length restriction in convert_aaregex_to_pcre usage 2013-12-16 01:15:17 -08:00
apparmor-parser.spec.in Add an example parser.conf file 2011-10-07 14:43:54 -07:00
apparmor.d.pod parser: Document eavesdropping permission syntax in apparmor.d(5) 2013-12-06 11:18:17 -08:00
apparmor.pod can ?not fix apparmor.pod 2013-12-12 03:07:37 +01:00
apparmor_parser.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:17:39 +02:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.c Move public mediation class types and perms to apparmor.h 2013-12-06 11:20:06 -08:00
dbus.h parser - add support for variable expansion in dbus rules 2013-08-29 12:34:13 -07:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Move public mediation class types and perms to apparmor.h 2013-12-06 11:20:06 -08:00
lib.c Convert the parser to C++ 2013-09-27 16:13:22 -07:00
lib.h apparmor: abstract out the directory walking routine 2012-08-16 16:26:03 -07:00
Makefile parser: add build option for coverage (v3) 2013-12-06 05:31:11 -08:00
mount.c Convert the parser to C++ 2013-09-27 16:13:22 -07:00
mount.h Fix mnt_flags passed for remount 2012-03-22 07:55:58 -07:00
parser.conf Commit the example parser.conf file that was supposed to be part of 2011-10-09 20:15:03 -07:00
parser.h parser: Check for kernel support prior to processing dbus entries 2013-10-29 17:03:23 -07:00
parser_alias.c Convert codomain to a class 2013-09-27 16:16:37 -07:00
parser_common.c parser: Check for kernel support prior to processing dbus entries 2013-10-29 17:03:23 -07:00
parser_include.c allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_include.h allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_interface.c parser - fix void* warnings 2013-10-14 14:37:48 -07:00
parser_lex.l parser: Add dbus eavesdrop permission support to apparmor_parser 2013-12-06 11:17:43 -08:00
parser_main.c parser: Check for kernel support prior to processing dbus entries 2013-10-29 17:03:23 -07:00
parser_merge.c Convert codomain to a class 2013-09-27 16:16:37 -07:00
parser_misc.c parser: fix /proc version file read 2013-12-10 12:41:25 -08:00
parser_policy.c Convert codomain to a class 2013-09-27 16:16:37 -07:00
parser_regex.c parser: convert process_mnt_entry's typebuf to std::string 2013-12-16 01:17:21 -08:00
parser_symtab.c Convert codomain to a class 2013-09-27 16:16:37 -07:00
parser_variable.c parser: convert var expansion to use alternations 2013-12-16 01:28:38 -08:00
parser_yacc.y fix broken english in parser_yacc.y 2013-12-06 21:41:41 +01:00
policydb.h Move public mediation class types and perms to apparmor.h 2013-12-06 11:20:06 -08:00
profile.cc parser - fix more memory leaks 2013-10-14 14:34:12 -07:00
profile.h parser: fix rlimit missing initializer warning 2013-12-10 12:42:50 -08:00
rc.aaeventd.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.aaeventd.suse openSUSE patch to remove the "-f" parameter from startproc in rc.aaeventd.suse / 2011-08-13 14:22:35 +02:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions Update the copyright dates for the apparmor_parser 2012-02-24 04:21:59 -08:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.suse It looks like rc.apparmor.functions renamed "aa_log_action_begin()" to 2011-09-15 20:20:23 +02:00
README parser - update README information 2013-10-11 22:14:28 -07:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
subdomain.conf Here's an update to rename another chunk of things that still used 2011-01-13 13:58:26 -08:00
subdomain.conf.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:17:39 +02:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at http://wiki.apparmor.net

Please send all complaints, feature requests, rants about the software,
and questions to the apparmor@lists.ubuntu.com mailing list. Bug
reports can be filed against the AppArmor project on launchpad.net at
https://launchpad.net/apparmor or reported to the mailing list directly
for those who wish not to register for an account on launchpad.

Security issues can be filed as security bugs on launchpad
or directed to security@ubuntu.com. We will attempt to
conform to the RFP vulnerability disclosure protocol:
http://www.wiretrip.net/rfp/policy.html

Thanks.

-- The AppArmor development team