[apparmor] [PATCH 5/5] Revert to using permission hashing as part of dfa minimization.
John Johansen
john.johansen at canonical.com
Tue Nov 30 05:44:30 GMT 2010
On 11/29/2010 12:05 PM, Steve Beattie wrote:
> On Tue, Nov 23, 2010 at 01:18:55AM -0800, John Johansen wrote:
>> This is a short term fix to deal with permission merging in dfa minimization
>> not handling overlapping x permissions correctly. Until this is fixed
>> a profile with overlapping x permissions will have invalid x values which
>> will either be rejected by the kernel or result in the wrong transition.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
> Acked-By: Steve Beattie <sbeattie at ubuntu.com>
>
> Do you have a reproducer example that we can use as a test case?
Ah yes I do, however we need to add the ability to detect it, or anything like it
that will trigger the problem currently.
I'll see what I can do about adding something to detect collisions, however
before to long I need to get dominance working correctly so we can properly
distinguish between these, and also handle
/** ix
/a* px
type collisions correctly, which we have never supported in the past but it
would be nice to support.
>
>> ---
>> parser/parser_main.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/parser/parser_main.c b/parser/parser_main.c
>> index f9b590a..15598eb 100644
>> --- a/parser/parser_main.c
>> +++ b/parser/parser_main.c
>> @@ -69,7 +69,7 @@ int binary_input = 0;
>> int names_only = 0;
>> int dump_vars = 0;
>> int dump_expanded_vars = 0;
>> -dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS;
>> +dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS | DFA_CONTROL_MINIMIZE_HASH_PERMS;
>> int conf_verbose = 0;
>> int conf_quiet = 0;
>> int kernel_load = 1;
>> --
>> 1.7.1
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
More information about the AppArmor
mailing list