mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
16b67ddbd6
Currently the NULL character is used as an out of band transition for string/path elements. This works for them as the NULL character is not valid for this data. However this does not work for binary data that can contain a NULL character. So far we have only dealt with fixed length fields of binary data making the NULL separator either unnecessary. However binary data like in the xattr match and mount data field are variable length and can contain NULL characters. To deal with this add the ability to specify out of band transitions, that can only be triggered by code not input data. The out of band transition can be used to separate variable length data fields just as the NULL transition has been used to separate variable length strings. In the compressed hfa out of band transitions are expressed as a negative offset from the states base. This leaves us room to expand the character match range in the future if desired and on average makes the range between the out of band transition and the input transitions smaller than would be had if the out of band transition had been stored after the valid input transitions. Out of band transitions in the dfa will not break old kernels that don't know about them, but they won't be able to trigger the out of band transition match. So they should not be used unless the kernel indicates that it supports them. It should be noted that this patch only adds support for a single out of band transition. If multiple out of band transitions are required. It is trivial to extend. - Add a tag indicating support in the kernel - add a oob max range field to the dfa header so the kernel knows what the max range that needs verifying is. - extend oob generation fns to generate oob based on value instead of a fixed -1. Signed-off-by: John Johansen <john.johansen@canonical.com>
62 lines
1.9 KiB
C++
62 lines
1.9 KiB
C++
/*
|
|
* (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
|
|
* Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
|
|
* Copyright 2009-2012 Canonical Ltd.
|
|
*
|
|
* The libapparmor library is licensed under the terms of the GNU
|
|
* Lesser General Public License, version 2.1. Please see the file
|
|
* COPYING.LGPL.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*
|
|
* Create a compressed hfa (chfa) from and hfa
|
|
*/
|
|
#ifndef __LIBAA_RE_CHFA_H
|
|
#define __LIBAA_RE_CHFA_H
|
|
|
|
#include <map>
|
|
#include <vector>
|
|
|
|
#include "hfa.h"
|
|
|
|
#define BASE32_FLAGS 0xff000000
|
|
#define DiffEncodeBit32 0x80000000
|
|
#define MATCH_FLAG_OOB_TRANSITION 0x20000000
|
|
#define base_mask_size(X) ((X) & ~BASE32_FLAGS)
|
|
|
|
using namespace std;
|
|
|
|
class CHFA {
|
|
typedef vector<pair<const State *, size_t> > DefaultBase;
|
|
typedef vector<pair<const State *, const State *> > NextCheck;
|
|
public:
|
|
CHFA(DFA &dfa, map<transchar, transchar> &eq, dfaflags_t flags);
|
|
void dump(ostream & os);
|
|
void flex_table(ostream &os, const char *name);
|
|
void init_free_list(vector<pair<size_t, size_t> > &free_list,
|
|
size_t prev, size_t start);
|
|
bool fits_in(vector<pair<size_t, size_t> > &free_list, size_t base,
|
|
StateTrans &cases);
|
|
void insert_state(vector<pair<size_t, size_t> > &free_list,
|
|
State *state, DFA &dfa);
|
|
|
|
private:
|
|
vector<uint32_t> accept;
|
|
vector<uint32_t> accept2;
|
|
DefaultBase default_base;
|
|
NextCheck next_check;
|
|
map<const State *, size_t> num;
|
|
map<transchar, transchar> &eq;
|
|
transchar max_eq;
|
|
ssize_t first_free;
|
|
unsigned int chfaflags;
|
|
};
|
|
|
|
#endif /* __LIBAA_RE_CHFA_H */
|