mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
John Johansen 2809060bec parser: limit the number of passes expr tree simplification does 
Expr tree simplification makes multiple passes at simplifying the
expression tree trying to use fatoring rules and heuristics to achieve
the minimum tree, so that dfa construction has fewer nodes to deal
with.

Unfortunately expr tree simplification can slow some policy compiles,
dependent on the type of expressions generated, down, and even worse
is currently subject to never terminating on some expressions as the
left and right passes keep undoing each others work.

Limiting the number of passes that expr tree simplification does can
provide most of its benefits (later passes generally have diminishing
returns), reduces the overhead it has on simple policy where it is of
little benefit, and insures that simplifications can not get stuck in
an infinite loop due to the left and right passes ping-ponging on each
others factoring.

Note: This also results in a performance improvement in evince
compiles, and general policy compiles because it achieves a better
balance between time spent on simplifying the tree to remove nodes and
time the dfa build requires to build with extra nodes and then
eliminate with minimization.

$ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
real	0m2.744s
user	0m2.714s
sys	0m0.028s

vs.

$ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
real	0m2.992s
user	0m2.979s
sys	0m0.012s

and

$ time apparmor_parser -QT /etc/apparmor.d/
real	0m3.568s
user	0m14.529s
sys	0m0.152s

vs.

$ time apparmor_parser -QT /etc/apparmor.d/
real	0m3.741s
user	0m15.400s
sys	0m0.179s

PR: https://gitlab.com/apparmor/apparmor/merge_requests/246
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-11-09 13:01:01 -08:00
..
libapparmor_re parser: limit the number of passes expr tree simplification does 2018-11-09 13:01:01 -08:00
po translations: sync from launchpad translations 2018-04-15 06:54:44 -07:00
tst error out on superfluous TODOs 2018-11-06 21:44:40 +01:00
aa-teardown aa-teardown: Replace /bin/bash with /bin/sh 2018-05-05 17:46:19 -07:00
aa-teardown.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
af_rule.cc parser: fix more gcc 5 compilation problems 2015-02-26 14:55:13 -08:00
af_rule.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
af_unix.cc with unix rules we output a downgraded rule compatible with network rules 2017-09-07 02:26:15 -07:00
af_unix.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
apparmor.d.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
apparmor.pod remove subdomainfs support 2018-11-08 18:23:21 -08:00
apparmor.service Adjust cache paths in apparmor.service 2018-06-16 23:14:19 +02:00
apparmor.systemd Add apparmor.service and aa-teardown 2018-03-24 19:28:24 +00:00
apparmor_parser.pod remove subdomainfs support 2018-11-08 18:23:21 -08:00
common_optarg.c Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
common_optarg.h Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.cc parser/dbus.cc: fix "accesss" typo. 2015-05-01 10:25:57 +02:00
dbus.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Rename AA_MAY_XXX permission bits that conflict with new layout 2015-06-06 01:25:49 -07:00
lib.c libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
lib.h libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
Makefile remove subdomainfs support 2018-11-08 18:23:21 -08:00
mount.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
mount.h Fix remount with bind 2015-09-21 12:20:19 -07:00
network.c Use the gcc cleanup extension attribute to handle closing temp files 2015-03-25 17:09:26 -05:00
network.h Remove unused net_find_af_val function, and network_families array 2015-02-27 16:20:31 +00:00
parser.conf parser: adjust parser.conf example Include statements 2015-03-09 10:43:13 -07:00
parser.h parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_alias.c parser: provide typedefs for comparison_fn_t and __free_fn_t 2018-05-09 13:15:42 -07:00
parser_common.c parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_include.c remove subdomainfs support 2018-11-08 18:23:21 -08:00
parser_include.h allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_interface.c add missing 'break' in load_profile() 2018-07-13 15:21:24 +02:00
parser_lex.l parser: ignore feature abi rules 2018-10-12 22:14:38 -07:00
parser_main.c parser: do not output cache warning for stdin if not using cache 2018-10-11 22:11:39 -07:00
parser_merge.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_misc.c parser: ignore feature abi rules 2018-10-12 22:14:38 -07:00
parser_policy.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_regex.c parser: Allow change_profile rules to accept an exec mode modifier 2016-05-31 15:32:08 -05:00
parser_symtab.c parser: provide typedefs for comparison_fn_t and __free_fn_t 2018-05-09 13:15:42 -07:00
parser_variable.c parser: fix memory leaks in unit tests 2016-01-25 12:05:50 -08:00
parser_yacc.y parser: ignore feature abi rules 2018-10-12 22:14:38 -07:00
policy_cache.c libapparmor: Add support for overlaycache directories 2018-04-14 15:51:23 -07:00
policy_cache.h libapparmor: Add support for overlaycache directories 2018-04-14 15:51:23 -07:00
policydb.h Add the ability to mediate signals. 2014-04-23 11:35:29 -07:00
profile.cc parser: first step implementing fine grained mediation for unix domain sockets 2014-09-03 13:22:26 -07:00
profile.h Fix: parser: incorrect output of child profile names 2016-04-18 13:26:53 -07:00
ptrace.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
ptrace.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions Remove traces of aa-eventd 2018-11-09 17:22:17 +01:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
README README: Move project contact info into the main README 2018-09-13 16:54:09 +00:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.cc Move C++ files from .c suffix to .cc suffix 2014-05-09 15:34:34 -07:00
rule.h Add missing rule.[hc] files that should have been part of commit 2449 2014-04-07 11:41:25 -07:00
signal.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
signal.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team