[apparmor] [PATCH 11/11] Default permission-hashing for dfa creation to on, to fix a bug

John Johansen john.johansen at canonical.com
Tue Dec 14 08:58:48 GMT 2010

When doing permission merging in the dfa minimization phase the information
about whether a rule is dominant or not has been lost so the merge of
xtransitions can not be handled correctly.

When two conflicting x transitions are merged the results are unpredicitable,
and not currently detected.  So default dfa minimization to set up its
initial partitions with permission hashing, this ensures that dfa states
that have different xtransitions in the minimization stage will never
be merged thus will not result in a conflict.

x permission checking is still enforced at the dfa creation phase where
the originial information is available to check whether the conflicting
permissions came from exact match or re rules so that conflict resolution
can be properly applied.

The end result is that dfa minimization does not result in a truely minimal
dfa (the minimization phase is also slightly faster).

Signed-off-by: John Johansen <john.johansen at canonical.com>
 parser/parser_main.c                               |    2 +-
 .../tst/simple_tests/xtrans/minimize-x-conflict.sd |   10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletions(-)
 create mode 100644 parser/tst/simple_tests/xtrans/minimize-x-conflict.sd

diff --git a/parser/parser_main.c b/parser/parser_main.c
index f9b590a..15598eb 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -69,7 +69,7 @@ int binary_input = 0;
 int names_only = 0;
 int dump_vars = 0;
 int dump_expanded_vars = 0;
 int conf_verbose = 0;
 int conf_quiet = 0;
 int kernel_load = 1;
diff --git a/parser/tst/simple_tests/xtrans/minimize-x-conflict.sd b/parser/tst/simple_tests/xtrans/minimize-x-conflict.sd
new file mode 100644
index 0000000..2185dcd
--- /dev/null
+++ b/parser/tst/simple_tests/xtrans/minimize-x-conflict.sd
@@ -0,0 +1,10 @@
+#=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
+/usr/bin/foo {
+  # need to build minimal test for this yet

More information about the AppArmor mailing list