[apparmor] [PATCH 03/11] Fix error checking of conflicting x-trans during dfa construction.
John Johansen
john.johansen at canonical.com
Tue Dec 14 08:58:40 GMT 2010
During some of the dfa cleanups, the checks for conflicting xtransition
was removed. This adds the conflict checking back in and makes it part
of dfa creation.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/libapparmor_re/regexp.y | 78 +++++++++++++++++++--------------------
1 files changed, 38 insertions(+), 40 deletions(-)
diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y
index da0e6ba..022becc 100644
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@@ -1414,7 +1414,7 @@ class State {
public:
State() : label (0), audit(0), accept(0), cases(), nodes(NULL) { };
State(int l): label (l), audit(0), accept(0), cases(), nodes(NULL) { };
- State(int l, NodeSet *n):
+ State(int l, NodeSet *n) throw (int):
label(l), audit(0), accept(0), cases(), nodes(n)
{
int error;
@@ -1422,9 +1422,8 @@ public:
/* Compute permissions associated with the State. */
accept = accept_perms(nodes, &audit, &error);
if (error) {
- /* TODO!!!!!!!!!!!!!
- * permission error checking here
- */
+cerr << "Failing on accept perms " << error << "\n";
+ throw error;
}
};
@@ -3025,48 +3024,47 @@ extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t
}
}
- DFA dfa(rules->root, flags);
- if (flags & DFA_DUMP_UNIQ_PERMS)
- dfa.dump_uniq_perms("dfa");
-
- if (flags & DFA_CONTROL_MINIMIZE) {
- dfa.minimize(flags);
-
- if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
- dfa.dump_uniq_perms("minimized dfa");
- }
- if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
- dfa.remove_unreachable(flags);
+ stringstream stream;
+ try {
+ DFA dfa(rules->root, flags);
+ if (flags & DFA_DUMP_UNIQ_PERMS)
+ dfa.dump_uniq_perms("dfa");
- if (flags & DFA_DUMP_STATES)
- dfa.dump(cerr);
+ if (flags & DFA_CONTROL_MINIMIZE) {
+ dfa.minimize(flags);
- if (flags & DFA_DUMP_GRAPH)
- dfa.dump_dot_graph(cerr);
+ if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
+ dfa.dump_uniq_perms("minimized dfa");
+ }
+ if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
+ dfa.remove_unreachable(flags);
- map<uchar, uchar> eq;
- if (flags & DFA_CONTROL_EQUIV) {
- eq = dfa.equivalence_classes(flags);
- dfa.apply_equivalence_classes(eq);
+ if (flags & DFA_DUMP_STATES)
+ dfa.dump(cerr);
- if (flags & DFA_DUMP_EQUIV) {
- cerr << "\nDFA equivalence class\n";
- dump_equivalence_classes(cerr, eq);
- }
- } else if (flags & DFA_DUMP_EQUIV)
- cerr << "\nDFA did not generate an equivalence class\n";
+ if (flags & DFA_DUMP_GRAPH)
+ dfa.dump_dot_graph(cerr);
-// TODO: perm verification needs to be moved into dfa creation
-// if (dfa.verify_perms()) {
-// *size = 0;
-// return NULL;
-// }
+ map<uchar, uchar> eq;
+ if (flags & DFA_CONTROL_EQUIV) {
+ eq = dfa.equivalence_classes(flags);
+ dfa.apply_equivalence_classes(eq);
- stringstream stream;
- TransitionTable transition_table(dfa, eq, flags);
- if (flags & DFA_DUMP_TRANS_TABLE)
- transition_table.dump(cerr);
- transition_table.flex_table(stream, "");
+ if (flags & DFA_DUMP_EQUIV) {
+ cerr << "\nDFA equivalence class\n";
+ dump_equivalence_classes(cerr, eq);
+ }
+ } else if (flags & DFA_DUMP_EQUIV)
+ cerr << "\nDFA did not generate an equivalence class\n";
+
+ TransitionTable transition_table(dfa, eq, flags);
+ if (flags & DFA_DUMP_TRANS_TABLE)
+ transition_table.dump(cerr);
+ transition_table.flex_table(stream, "");
+ } catch (int error) {
+ *size = 0;
+ return NULL;
+ }
stringbuf *buf = stream.rdbuf();
--
1.7.1
More information about the AppArmor
mailing list