[apparmor] [PATCH 02/10] Split out aare_rules which are used to encapsulate creating the dfa
John Johansen
john.johansen at canonical.com
Thu Mar 10 20:35:52 UTC 2011
Split out the aare_rule bits that encapsulate the convertion of apparmor
rules into the final compressed dfa.
This patch will not compile because of the it needs hfa to export an interface
but hfa is going to be split so just delay until hfa and transtable are
split and they can each export their own interface.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/libapparmor_re/Makefile | 5 +-
parser/libapparmor_re/aare_rules.cc | 306 +++++++++++++++++++++++++++++++++++
parser/libapparmor_re/aare_rules.h | 45 +++++
parser/libapparmor_re/apparmor_re.h | 21 ---
parser/libapparmor_re/hfa.cc | 281 --------------------------------
parser/parser.h | 1 +
parser/parser_regex.c | 1 +
7 files changed, 357 insertions(+), 303 deletions(-)
create mode 100644 parser/libapparmor_re/aare_rules.cc
create mode 100644 parser/libapparmor_re/aare_rules.h
diff --git a/parser/libapparmor_re/Makefile b/parser/libapparmor_re/Makefile
index 7006744..de44ad7 100644
--- a/parser/libapparmor_re/Makefile
+++ b/parser/libapparmor_re/Makefile
@@ -12,7 +12,7 @@ BISON := bison
all : ${TARGET}
-libapparmor_re.a: parse.o expr-tree.o hfa.o
+libapparmor_re.a: parse.o expr-tree.o hfa.o aare_rules.o
ar ${ARFLAGS} $@ $^
expr-tree.o: expr-tree.cc expr-tree.h
@@ -21,6 +21,9 @@ expr-tree.o: expr-tree.cc expr-tree.h
hfa.o: hfa.cc apparmor_re.h
$(LINK.cc) $< -c -o $@
+aare_rules.o: aare_rules.cc aare_rules.h
+ $(LINK.cc) $< -c -o $@
+
parse.o : parse.cc apparmor_re.h expr-tree.h
$(LINK.cc) $< -c -o $@
diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
new file mode 100644
index 0000000..739eeb2
--- /dev/null
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -0,0 +1,306 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen at suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Wrapper around the dfa to convert aa rules into a dfa
+ */
+
+#include <sstream>
+#include <ext/stdio_filebuf.h>
+
+#include "aare_rules.h"
+#include "expr-tree.h"
+#include "parse.h"
+#include "hfa.h"
+
+struct aare_ruleset {
+ int reverse;
+ Node *root;
+};
+
+extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
+{
+ aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
+ if (!container)
+ return NULL;
+
+ container->root = NULL;
+ container->reverse = reverse;
+
+ return container;
+}
+
+extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
+{
+ if (rules) {
+ if (rules->root)
+ rules->root->release();
+ free(rules);
+ }
+}
+
+extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+ uint32_t perms, uint32_t audit, dfaflags_t flags)
+{
+ return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
+}
+
+#define FLAGS_WIDTH 2
+#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
+MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
+
+extern "C" void aare_reset_matchflags(void)
+{
+ uint32_t i, j;
+#define RESET_FLAGS(group, size) { \
+ for (i = 0; i < FLAGS_WIDTH; i++) { \
+ for (j = 0; j < size; j++) { \
+ if ((group)[i][j]) delete (group)[i][j]; \
+ (group)[i][j] = NULL; \
+ } \
+ } \
+}
+ RESET_FLAGS(match_flags,MATCH_FLAGS_SIZE);
+ RESET_FLAGS(deny_flags,MATCH_FLAGS_SIZE);
+ RESET_FLAGS(exec_match_flags,EXEC_MATCH_FLAGS_SIZE);
+ RESET_FLAGS(exact_match_flags,EXEC_MATCH_FLAGS_SIZE);
+#undef RESET_FLAGS
+}
+
+extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
+ uint32_t perms, uint32_t audit,
+ int count, char **rulev,
+ dfaflags_t flags)
+{
+ Node *tree = NULL, *accept;
+ int exact_match;
+
+ assert(perms != 0);
+
+ if (regex_parse(&tree, rulev[0]))
+ return 0;
+ for (int i = 1; i < count; i++) {
+ Node *subtree = NULL;
+ Node *node = new CharNode(0);
+ if (!node)
+ return 0;
+ tree = new CatNode(tree, node);
+ if (regex_parse(&subtree, rulev[i]))
+ return 0;
+ tree = new CatNode(tree, subtree);
+ }
+
+ /*
+ * Check if we have an expression with or without wildcards. This
+ * determines how exec modifiers are merged in accept_perms() based
+ * on how we split permission bitmasks here.
+ */
+ exact_match = 1;
+ for (depth_first_traversal i(tree); i; i++) {
+ if (dynamic_cast<StarNode *>(*i) ||
+ dynamic_cast<PlusNode *>(*i) ||
+ dynamic_cast<AnyCharNode *>(*i) ||
+ dynamic_cast<CharSetNode *>(*i) ||
+ dynamic_cast<NotCharSetNode *>(*i))
+ exact_match = 0;
+ }
+
+ if (rules->reverse)
+ flip_tree(tree);
+
+
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
+
+//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
+// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
+
+//if (perms & ALL_EXEC_TYPE)
+// fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
+
+//if (audit)
+//fprintf(stderr, "adding rule with audit bits set: 0x%x %s\n", audit, rulev[0]);
+
+//if (perms & AA_CHANGE_HAT)
+// fprintf(stderr, "adding change_hat rule %s\n", rulev[0]);
+
+/* the permissions set is assumed to be non-empty if any audit
+ * bits are specified */
+ accept = NULL;
+ for (unsigned int n = 0; perms && n < (sizeof(perms) * 8) ; n++) {
+ uint32_t mask = 1 << n;
+
+ if (perms & mask) {
+ int ai = audit & mask ? 1 : 0;
+ perms &= ~mask;
+
+ Node *flag;
+ if (mask & ALL_AA_EXEC_TYPE)
+ /* these cases are covered by EXEC_BITS */
+ continue;
+ if (deny) {
+ if (deny_flags[ai][n]) {
+ flag = deny_flags[ai][n];
+ } else {
+//fprintf(stderr, "Adding deny ai %d mask 0x%x audit 0x%x\n", ai, mask, audit & mask);
+ deny_flags[ai][n] = new DenyMatchFlag(mask, audit&mask);
+ flag = deny_flags[ai][n];
+ }
+ } else if (mask & AA_EXEC_BITS) {
+ uint32_t eperm = 0;
+ uint32_t index = 0;
+ if (mask & AA_USER_EXEC) {
+ eperm = mask | (perms & AA_USER_EXEC_TYPE);
+ index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
+ } else {
+ eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
+ index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
+ }
+//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
+ if (exact_match) {
+ if (exact_match_flags[ai][index]) {
+ flag = exact_match_flags[ai][index];
+ } else {
+ exact_match_flags[ai][index] = new ExactMatchFlag(eperm, audit&mask);
+ flag = exact_match_flags[ai][index];
+ }
+ } else {
+ if (exec_match_flags[ai][index]) {
+ flag = exec_match_flags[ai][index];
+ } else {
+ exec_match_flags[ai][index] = new MatchFlag(eperm, audit&mask);
+ flag = exec_match_flags[ai][index];
+ }
+ }
+ } else {
+ if (match_flags[ai][n]) {
+ flag = match_flags[ai][n];
+ } else {
+ match_flags[ai][n] = new MatchFlag(mask, audit&mask);
+ flag = match_flags[ai][n];
+ }
+ }
+ if (accept)
+ accept = new AltNode(accept, flag);
+ else
+ accept = flag;
+ }
+ }
+
+ if (flags & DFA_DUMP_RULE_EXPR) {
+ cerr << "rule: ";
+ cerr << rulev[0];
+ for (int i = 1; i < count; i++) {
+ cerr << "\\x00";
+ cerr << rulev[i];
+ }
+ cerr << " -> ";
+ tree->dump(cerr);
+ cerr << "\n\n";
+ }
+
+ if (rules->root)
+ rules->root = new AltNode(rules->root, new CatNode(tree, accept));
+ else
+ rules->root = new CatNode(tree, accept);
+
+ return 1;
+
+}
+
+/* create a dfa from the ruleset
+ * returns: buffer contain dfa tables, @size set to the size of the tables
+ * else NULL on failure
+ */
+extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags)
+{
+ char *buffer = NULL;
+
+ label_nodes(rules->root);
+ if (flags & DFA_DUMP_TREE) {
+ cerr << "\nDFA: Expression Tree\n";
+ rules->root->dump(cerr);
+ cerr << "\n\n";
+ }
+
+ if (flags & DFA_CONTROL_TREE_SIMPLE) {
+ rules->root = simplify_tree(rules->root, flags);
+
+ if (flags & DFA_DUMP_SIMPLE_TREE) {
+ cerr << "\nDFA: Simplified Expression Tree\n";
+ rules->root->dump(cerr);
+ cerr << "\n\n";
+ }
+ }
+
+ stringstream stream;
+ try {
+ DFA dfa(rules->root, flags);
+ if (flags & DFA_DUMP_UNIQ_PERMS)
+ dfa.dump_uniq_perms("dfa");
+
+ if (flags & DFA_CONTROL_MINIMIZE) {
+ dfa.minimize(flags);
+
+ if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
+ dfa.dump_uniq_perms("minimized dfa");
+ }
+ if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
+ dfa.remove_unreachable(flags);
+
+ if (flags & DFA_DUMP_STATES)
+ dfa.dump(cerr);
+
+ if (flags & DFA_DUMP_GRAPH)
+ dfa.dump_dot_graph(cerr);
+
+ map<uchar, uchar> eq;
+ if (flags & DFA_CONTROL_EQUIV) {
+ eq = dfa.equivalence_classes(flags);
+ dfa.apply_equivalence_classes(eq);
+
+ if (flags & DFA_DUMP_EQUIV) {
+ cerr << "\nDFA equivalence class\n";
+ dump_equivalence_classes(cerr, eq);
+ }
+ } else if (flags & DFA_DUMP_EQUIV)
+ cerr << "\nDFA did not generate an equivalence class\n";
+
+ TransitionTable transition_table(dfa, eq, flags);
+ if (flags & DFA_DUMP_TRANS_TABLE)
+ transition_table.dump(cerr);
+ transition_table.flex_table(stream, "");
+ } catch (int error) {
+ *size = 0;
+ return NULL;
+ }
+
+ stringbuf *buf = stream.rdbuf();
+
+ buf->pubseekpos(0);
+ *size = buf->in_avail();
+
+ buffer = (char *)malloc(*size);
+ if (!buffer)
+ return NULL;
+ buf->sgetn(buffer, *size);
+ return buffer;
+}
diff --git a/parser/libapparmor_re/aare_rules.h b/parser/libapparmor_re/aare_rules.h
new file mode 100644
index 0000000..ddd5f44
--- /dev/null
+++ b/parser/libapparmor_re/aare_rules.h
@@ -0,0 +1,45 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen at suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Wrapper around the dfa to convert aa rules into a dfa
+ */
+#ifndef __LIBAA_RE_RULES_H
+#define __LIBAA_RE_RULES_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct aare_ruleset;
+
+typedef struct aare_ruleset aare_ruleset_t;
+
+aare_ruleset_t *aare_new_ruleset(int reverse);
+void aare_delete_ruleset(aare_ruleset_t *rules);
+int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+ uint32_t perms, uint32_t audit, dfaflags_t flags);
+int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
+ uint32_t audit, int count, char **rulev, dfaflags_t flags);
+void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
+void aare_reset_matchflags(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __LIBAA_RE_RULES_H */
diff --git a/parser/libapparmor_re/apparmor_re.h b/parser/libapparmor_re/apparmor_re.h
index fed69be..4199e82 100644
--- a/parser/libapparmor_re/apparmor_re.h
+++ b/parser/libapparmor_re/apparmor_re.h
@@ -43,25 +43,4 @@ typedef enum dfaflags {
DFA_DUMP_NODE_TO_DFA = 1 << 31,
} dfaflags_t;
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-struct aare_ruleset;
-
-typedef struct aare_ruleset aare_ruleset_t;
-
-aare_ruleset_t *aare_new_ruleset(int reverse);
-void aare_delete_ruleset(aare_ruleset_t *rules);
-int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
- uint32_t perms, uint32_t audit, dfaflags_t flags);
-int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
- uint32_t audit, int count, char **rulev, dfaflags_t flags);
-void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
-void aare_reset_matchflags(void);
-
-#ifdef __cplusplus
-}
-#endif
-
#endif /* APPARMOR_RE_H */
diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc
index c78bfce..453a828 100644
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -41,7 +41,6 @@
#include <fstream>
#include "expr-tree.h"
-#include "parse.h"
#include "../immunix.h"
@@ -1384,34 +1383,6 @@ void dump_regexp(ostream& os, Node *tree)
os << endl;
}
-#include <sstream>
-#include <ext/stdio_filebuf.h>
-
-struct aare_ruleset {
- int reverse;
- Node *root;
-};
-
-extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
-{
- aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
- if (!container)
- return NULL;
-
- container->root = NULL;
- container->reverse = reverse;
-
- return container;
-}
-
-extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
-{
- if (rules) {
- if (rules->root)
- rules->root->release();
- free(rules);
- }
-}
static inline int diff_qualifiers(uint32_t perm1, uint32_t perm2)
{
@@ -1502,255 +1473,3 @@ uint32_t accept_perms(NodeSet *state, uint32_t *audit_ctl, int *error)
return perms;
}
-
-extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
- uint32_t perms, uint32_t audit, dfaflags_t flags)
-{
- return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
-}
-
-#define FLAGS_WIDTH 2
-#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
-MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
-
-extern "C" void aare_reset_matchflags(void)
-{
- uint32_t i, j;
-#define RESET_FLAGS(group, size) { \
- for (i = 0; i < FLAGS_WIDTH; i++) { \
- for (j = 0; j < size; j++) { \
- if ((group)[i][j]) delete (group)[i][j]; \
- (group)[i][j] = NULL; \
- } \
- } \
-}
- RESET_FLAGS(match_flags,MATCH_FLAGS_SIZE);
- RESET_FLAGS(deny_flags,MATCH_FLAGS_SIZE);
- RESET_FLAGS(exec_match_flags,EXEC_MATCH_FLAGS_SIZE);
- RESET_FLAGS(exact_match_flags,EXEC_MATCH_FLAGS_SIZE);
-#undef RESET_FLAGS
-}
-
-extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
- uint32_t perms, uint32_t audit,
- int count, char **rulev,
- dfaflags_t flags)
-{
- Node *tree = NULL, *accept;
- int exact_match;
-
- assert(perms != 0);
-
- if (regex_parse(&tree, rulev[0]))
- return 0;
- for (int i = 1; i < count; i++) {
- Node *subtree = NULL;
- Node *node = new CharNode(0);
- if (!node)
- return 0;
- tree = new CatNode(tree, node);
- if (regex_parse(&subtree, rulev[i]))
- return 0;
- tree = new CatNode(tree, subtree);
- }
-
- /*
- * Check if we have an expression with or without wildcards. This
- * determines how exec modifiers are merged in accept_perms() based
- * on how we split permission bitmasks here.
- */
- exact_match = 1;
- for (depth_first_traversal i(tree); i; i++) {
- if (dynamic_cast<StarNode *>(*i) ||
- dynamic_cast<PlusNode *>(*i) ||
- dynamic_cast<AnyCharNode *>(*i) ||
- dynamic_cast<CharSetNode *>(*i) ||
- dynamic_cast<NotCharSetNode *>(*i))
- exact_match = 0;
- }
-
- if (rules->reverse)
- flip_tree(tree);
-
-
-/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
-
-//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
-// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
-
-//if (perms & ALL_EXEC_TYPE)
-// fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
-
-//if (audit)
-//fprintf(stderr, "adding rule with audit bits set: 0x%x %s\n", audit, rulev[0]);
-
-//if (perms & AA_CHANGE_HAT)
-// fprintf(stderr, "adding change_hat rule %s\n", rulev[0]);
-
-/* the permissions set is assumed to be non-empty if any audit
- * bits are specified */
- accept = NULL;
- for (unsigned int n = 0; perms && n < (sizeof(perms) * 8) ; n++) {
- uint32_t mask = 1 << n;
-
- if (perms & mask) {
- int ai = audit & mask ? 1 : 0;
- perms &= ~mask;
-
- Node *flag;
- if (mask & ALL_AA_EXEC_TYPE)
- /* these cases are covered by EXEC_BITS */
- continue;
- if (deny) {
- if (deny_flags[ai][n]) {
- flag = deny_flags[ai][n];
- } else {
-//fprintf(stderr, "Adding deny ai %d mask 0x%x audit 0x%x\n", ai, mask, audit & mask);
- deny_flags[ai][n] = new DenyMatchFlag(mask, audit&mask);
- flag = deny_flags[ai][n];
- }
- } else if (mask & AA_EXEC_BITS) {
- uint32_t eperm = 0;
- uint32_t index = 0;
- if (mask & AA_USER_EXEC) {
- eperm = mask | (perms & AA_USER_EXEC_TYPE);
- index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
- } else {
- eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
- index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
- }
-//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
- if (exact_match) {
- if (exact_match_flags[ai][index]) {
- flag = exact_match_flags[ai][index];
- } else {
- exact_match_flags[ai][index] = new ExactMatchFlag(eperm, audit&mask);
- flag = exact_match_flags[ai][index];
- }
- } else {
- if (exec_match_flags[ai][index]) {
- flag = exec_match_flags[ai][index];
- } else {
- exec_match_flags[ai][index] = new MatchFlag(eperm, audit&mask);
- flag = exec_match_flags[ai][index];
- }
- }
- } else {
- if (match_flags[ai][n]) {
- flag = match_flags[ai][n];
- } else {
- match_flags[ai][n] = new MatchFlag(mask, audit&mask);
- flag = match_flags[ai][n];
- }
- }
- if (accept)
- accept = new AltNode(accept, flag);
- else
- accept = flag;
- }
- }
-
- if (flags & DFA_DUMP_RULE_EXPR) {
- cerr << "rule: ";
- cerr << rulev[0];
- for (int i = 1; i < count; i++) {
- cerr << "\\x00";
- cerr << rulev[i];
- }
- cerr << " -> ";
- tree->dump(cerr);
- cerr << "\n\n";
- }
-
- if (rules->root)
- rules->root = new AltNode(rules->root, new CatNode(tree, accept));
- else
- rules->root = new CatNode(tree, accept);
-
- return 1;
-
-}
-
-/* create a dfa from the ruleset
- * returns: buffer contain dfa tables, @size set to the size of the tables
- * else NULL on failure
- */
-extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags)
-{
- char *buffer = NULL;
-
- label_nodes(rules->root);
- if (flags & DFA_DUMP_TREE) {
- cerr << "\nDFA: Expression Tree\n";
- rules->root->dump(cerr);
- cerr << "\n\n";
- }
-
- if (flags & DFA_CONTROL_TREE_SIMPLE) {
- rules->root = simplify_tree(rules->root, flags);
-
- if (flags & DFA_DUMP_SIMPLE_TREE) {
- cerr << "\nDFA: Simplified Expression Tree\n";
- rules->root->dump(cerr);
- cerr << "\n\n";
- }
- }
-
- stringstream stream;
- try {
- DFA dfa(rules->root, flags);
- if (flags & DFA_DUMP_UNIQ_PERMS)
- dfa.dump_uniq_perms("dfa");
-
- if (flags & DFA_CONTROL_MINIMIZE) {
- dfa.minimize(flags);
-
- if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
- dfa.dump_uniq_perms("minimized dfa");
- }
- if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
- dfa.remove_unreachable(flags);
-
- if (flags & DFA_DUMP_STATES)
- dfa.dump(cerr);
-
- if (flags & DFA_DUMP_GRAPH)
- dfa.dump_dot_graph(cerr);
-
- map<uchar, uchar> eq;
- if (flags & DFA_CONTROL_EQUIV) {
- eq = dfa.equivalence_classes(flags);
- dfa.apply_equivalence_classes(eq);
-
- if (flags & DFA_DUMP_EQUIV) {
- cerr << "\nDFA equivalence class\n";
- dump_equivalence_classes(cerr, eq);
- }
- } else if (flags & DFA_DUMP_EQUIV)
- cerr << "\nDFA did not generate an equivalence class\n";
-
- TransitionTable transition_table(dfa, eq, flags);
- if (flags & DFA_DUMP_TRANS_TABLE)
- transition_table.dump(cerr);
- transition_table.flex_table(stream, "");
- } catch (int error) {
- *size = 0;
- return NULL;
- }
-
- stringbuf *buf = stream.rdbuf();
-
- buf->pubseekpos(0);
- *size = buf->in_avail();
-
- buffer = (char *)malloc(*size);
- if (!buffer)
- return NULL;
- buf->sgetn(buffer, *size);
- return buffer;
-}
diff --git a/parser/parser.h b/parser/parser.h
index 310ba84..d7cd49a 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -23,6 +23,7 @@
#include <sys/resource.h>
#include "immunix.h"
#include "libapparmor_re/apparmor_re.h"
+#include "libapparmor_re/aare_rules.h"
typedef enum pattern_t pattern_t;
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index df1e215..301b8a2 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -26,6 +26,7 @@
#include "parser.h"
#include "libapparmor_re/apparmor_re.h"
+#include "libapparmor_re/aare_rules.h"
enum error_type {
e_no_error,
--
1.7.1
More information about the AppArmor
mailing list