[apparmor] [PATCH 18/20] Add ability to dump unique permission sets
John Johansen
john.johansen at canonical.com
Fri Nov 5 05:51:14 GMT 2010
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/libapparmor_re/apparmor_re.h | 2 ++
parser/libapparmor_re/regexp.y | 23 ++++++++++++++++++++++-
parser/parser_main.c | 4 ++++
3 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/parser/libapparmor_re/apparmor_re.h b/parser/libapparmor_re/apparmor_re.h
index 04af34b..268c51d 100644
--- a/parser/libapparmor_re/apparmor_re.h
+++ b/parser/libapparmor_re/apparmor_re.h
@@ -22,6 +22,8 @@ typedef enum dfaflags {
DFA_CONTROL_REMOVE_UNREACHABLE = 1 << 7,
DFA_CONTROL_TRANS_HIGH = 1 << 8,
+ DFA_DUMP_UNIQ_PERMS = 1 << 14,
+ DFA_DUMP_MIN_UNIQ_PERMS = 1 << 15,
DFA_DUMP_TREE_STATS = 1 << 16,
DFA_DUMP_TREE = 1 << 17,
DFA_DUMP_SIMPLE_TREE = 1 << 18,
diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y
index ae6f153..5b7e291 100644
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@@ -1428,6 +1428,7 @@ public:
void minimize(dfaflags_t flags);
void dump(ostream& os);
void dump_dot_graph(ostream& os);
+ void dump_uniq_perms(const char *s);
map<uchar, uchar> equivalence_classes(dfaflags_t flags);
void apply_equivalence_classes(map<uchar, uchar>& eq);
Node *root;
@@ -1632,6 +1633,21 @@ public:
};
+void DFA::dump_uniq_perms(const char *s)
+{
+ set < pair<uint32_t, uint32_t> > uniq;
+ for (Partition::iterator i = states.begin(); i != states.end(); i++)
+ uniq.insert(make_pair((*i)->accept, (*i)->audit));
+
+ cerr << "Unique Permission sets: " << s << " (" << uniq.size() << ")\n";
+ cerr << "----------------------\n";
+ for (set< pair<uint32_t, uint32_t> >::iterator i = uniq.begin();
+ i != uniq.end(); i++) {
+ cerr << " " << hex << i->first << " " << i->second << dec <<"\n";
+ }
+}
+
+
/* Remove dead or unreachable states */
void DFA::remove_unreachable(dfaflags_t flags)
{
@@ -2962,10 +2978,15 @@ extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t
}
DFA dfa(rules->root, flags);
+ if (flags & DFA_DUMP_UNIQ_PERMS)
+ dfa.dump_uniq_perms("dfa");
- if (flags & DFA_CONTROL_MINIMIZE)
+ if (flags & DFA_CONTROL_MINIMIZE) {
dfa.minimize(flags);
+ if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
+ dfa.dump_uniq_perms("minimized dfa");
+ }
//if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
// remove_unreachable(flags);
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 941b1b5..f9b590a 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -213,6 +213,10 @@ optflag_table_t dumpflag_table[] = {
DFA_DUMP_UNREACHABLE },
{ 1, "dfa-node-map", "Dump expr node set to state mapping",
DFA_DUMP_NODE_TO_DFA },
+ { 1, "dfa-uniq-perms", "Dump unique perms",
+ DFA_DUMP_UNIQ_PERMS },
+ { 1, "dfa-minimize-uniq-perms", "Dump unique perms post minimization",
+ DFA_DUMP_MIN_UNIQ_PERMS },
{ 1, "compress-progress", "Dump progress of compression",
DFA_DUMP_TRANS_PROGRESS | DFA_DUMP_TRANS_STATS },
{ 1, "compress-stats", "Dump stats on compression",
--
1.7.1
More information about the AppArmor
mailing list