[apparmor] [PATCH 04/10] Lindent + hand cleanups aare_rules
John Johansen
john.johansen at canonical.com
Thu Mar 10 20:35:54 UTC 2011
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/libapparmor_re/aare_rules.cc | 429 ++++++++++++++++++-----------------
parser/libapparmor_re/aare_rules.h | 25 +-
2 files changed, 239 insertions(+), 215 deletions(-)
diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index beeb259..0698ab5 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -35,33 +35,34 @@
#include "../immunix.h"
struct aare_ruleset {
- int reverse;
- Node *root;
+ int reverse;
+ Node *root;
};
extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
{
- aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
- if (!container)
- return NULL;
+ aare_ruleset_t *container =
+ (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
+ if (!container)
+ return NULL;
- container->root = NULL;
- container->reverse = reverse;
+ container->root = NULL;
+ container->reverse = reverse;
- return container;
+ return container;
}
extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
{
- if (rules) {
- if (rules->root)
- rules->root->release();
- free(rules);
- }
+ if (rules) {
+ if (rules->root)
+ rules->root->release();
+ free(rules);
+ }
}
extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
- uint32_t perms, uint32_t audit, dfaflags_t flags)
+ uint32_t perms, uint32_t audit, dfaflags_t flags)
{
return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
}
@@ -71,8 +72,8 @@ extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o */
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux *u::o */
extern "C" void aare_reset_matchflags(void)
{
@@ -85,60 +86,58 @@ extern "C" void aare_reset_matchflags(void)
} \
} \
}
- RESET_FLAGS(match_flags,MATCH_FLAGS_SIZE);
- RESET_FLAGS(deny_flags,MATCH_FLAGS_SIZE);
- RESET_FLAGS(exec_match_flags,EXEC_MATCH_FLAGS_SIZE);
- RESET_FLAGS(exact_match_flags,EXEC_MATCH_FLAGS_SIZE);
+ RESET_FLAGS(match_flags, MATCH_FLAGS_SIZE);
+ RESET_FLAGS(deny_flags, MATCH_FLAGS_SIZE);
+ RESET_FLAGS(exec_match_flags, EXEC_MATCH_FLAGS_SIZE);
+ RESET_FLAGS(exact_match_flags, EXEC_MATCH_FLAGS_SIZE);
#undef RESET_FLAGS
}
extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
uint32_t perms, uint32_t audit,
- int count, char **rulev,
- dfaflags_t flags)
+ int count, char **rulev, dfaflags_t flags)
{
- Node *tree = NULL, *accept;
- int exact_match;
+ Node *tree = NULL, *accept;
+ int exact_match;
- assert(perms != 0);
+ assert(perms != 0);
- if (regex_parse(&tree, rulev[0]))
- return 0;
- for (int i = 1; i < count; i++) {
- Node *subtree = NULL;
- Node *node = new CharNode(0);
- if (!node)
+ if (regex_parse(&tree, rulev[0]))
return 0;
- tree = new CatNode(tree, node);
- if (regex_parse(&subtree, rulev[i]))
- return 0;
- tree = new CatNode(tree, subtree);
- }
-
- /*
- * Check if we have an expression with or without wildcards. This
- * determines how exec modifiers are merged in accept_perms() based
- * on how we split permission bitmasks here.
- */
- exact_match = 1;
- for (depth_first_traversal i(tree); i; i++) {
- if (dynamic_cast<StarNode *>(*i) ||
- dynamic_cast<PlusNode *>(*i) ||
- dynamic_cast<AnyCharNode *>(*i) ||
- dynamic_cast<CharSetNode *>(*i) ||
- dynamic_cast<NotCharSetNode *>(*i))
- exact_match = 0;
- }
-
- if (rules->reverse)
- flip_tree(tree);
+ for (int i = 1; i < count; i++) {
+ Node *subtree = NULL;
+ Node *node = new CharNode(0);
+ if (!node)
+ return 0;
+ tree = new CatNode(tree, node);
+ if (regex_parse(&subtree, rulev[i]))
+ return 0;
+ tree = new CatNode(tree, subtree);
+ }
+
+ /*
+ * Check if we have an expression with or without wildcards. This
+ * determines how exec modifiers are merged in accept_perms() based
+ * on how we split permission bitmasks here.
+ */
+ exact_match = 1;
+ for (depth_first_traversal i(tree); i; i++) {
+ if (dynamic_cast <StarNode *>(*i) ||
+ dynamic_cast <PlusNode *>(*i) ||
+ dynamic_cast <AnyCharNode *>(*i) ||
+ dynamic_cast <CharSetNode *>(*i) ||
+ dynamic_cast <NotCharSetNode *>(*i))
+ exact_match = 0;
+ }
+ if (rules->reverse)
+ flip_tree(tree);
/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
-// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
+// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
//if (perms & ALL_EXEC_TYPE)
// fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
@@ -151,85 +150,107 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
/* the permissions set is assumed to be non-empty if any audit
* bits are specified */
- accept = NULL;
- for (unsigned int n = 0; perms && n < (sizeof(perms) * 8) ; n++) {
- uint32_t mask = 1 << n;
-
- if (perms & mask) {
- int ai = audit & mask ? 1 : 0;
- perms &= ~mask;
-
- Node *flag;
- if (mask & ALL_AA_EXEC_TYPE)
- /* these cases are covered by EXEC_BITS */
- continue;
- if (deny) {
- if (deny_flags[ai][n]) {
- flag = deny_flags[ai][n];
- } else {
+ accept = NULL;
+ for (unsigned int n = 0; perms && n < (sizeof(perms) * 8); n++) {
+ uint32_t mask = 1 << n;
+
+ if (perms & mask) {
+ int ai = audit & mask ? 1 : 0;
+ perms &= ~mask;
+
+ Node *flag;
+ if (mask & ALL_AA_EXEC_TYPE)
+ /* these cases are covered by EXEC_BITS */
+ continue;
+ if (deny) {
+ if (deny_flags[ai][n]) {
+ flag = deny_flags[ai][n];
+ } else {
//fprintf(stderr, "Adding deny ai %d mask 0x%x audit 0x%x\n", ai, mask, audit & mask);
- deny_flags[ai][n] = new DenyMatchFlag(mask, audit&mask);
- flag = deny_flags[ai][n];
- }
- } else if (mask & AA_EXEC_BITS) {
- uint32_t eperm = 0;
- uint32_t index = 0;
- if (mask & AA_USER_EXEC) {
- eperm = mask | (perms & AA_USER_EXEC_TYPE);
- index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
- } else {
- eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
- index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
- }
+ deny_flags[ai][n] =
+ new DenyMatchFlag(mask,
+ audit & mask);
+ flag = deny_flags[ai][n];
+ }
+ } else if (mask & AA_EXEC_BITS) {
+ uint32_t eperm = 0;
+ uint32_t index = 0;
+ if (mask & AA_USER_EXEC) {
+ eperm =
+ mask | (perms & AA_USER_EXEC_TYPE);
+ index =
+ EXTRACT_X_INDEX(eperm,
+ AA_USER_SHIFT);
+ } else {
+ eperm =
+ mask | (perms & AA_OTHER_EXEC_TYPE);
+ index =
+ EXTRACT_X_INDEX(eperm,
+ AA_OTHER_SHIFT) +
+ (AA_EXEC_COUNT << 2);
+ }
//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
- if (exact_match) {
- if (exact_match_flags[ai][index]) {
- flag = exact_match_flags[ai][index];
- } else {
- exact_match_flags[ai][index] = new ExactMatchFlag(eperm, audit&mask);
- flag = exact_match_flags[ai][index];
- }
- } else {
- if (exec_match_flags[ai][index]) {
- flag = exec_match_flags[ai][index];
- } else {
- exec_match_flags[ai][index] = new MatchFlag(eperm, audit&mask);
- flag = exec_match_flags[ai][index];
- }
- }
- } else {
- if (match_flags[ai][n]) {
- flag = match_flags[ai][n];
- } else {
- match_flags[ai][n] = new MatchFlag(mask, audit&mask);
- flag = match_flags[ai][n];
- }
- }
- if (accept)
- accept = new AltNode(accept, flag);
- else
- accept = flag;
+ if (exact_match) {
+ if (exact_match_flags[ai][index]) {
+ flag =
+ exact_match_flags[ai]
+ [index];
+ } else {
+ exact_match_flags[ai][index] =
+ new ExactMatchFlag(eperm,
+ audit &
+ mask);
+ flag =
+ exact_match_flags[ai]
+ [index];
+ }
+ } else {
+ if (exec_match_flags[ai][index]) {
+ flag =
+ exec_match_flags[ai][index];
+ } else {
+ exec_match_flags[ai][index] =
+ new MatchFlag(eperm,
+ audit & mask);
+ flag =
+ exec_match_flags[ai][index];
+ }
+ }
+ } else {
+ if (match_flags[ai][n]) {
+ flag = match_flags[ai][n];
+ } else {
+ match_flags[ai][n] =
+ new MatchFlag(mask, audit & mask);
+ flag = match_flags[ai][n];
+ }
+ }
+ if (accept)
+ accept = new AltNode(accept, flag);
+ else
+ accept = flag;
+ }
+ }
+
+ if (flags & DFA_DUMP_RULE_EXPR) {
+ cerr << "rule: ";
+ cerr << rulev[0];
+ for (int i = 1; i < count; i++) {
+ cerr << "\\x00";
+ cerr << rulev[i];
+ }
+ cerr << " -> ";
+ tree->dump(cerr);
+ cerr << "\n\n";
}
- }
-
- if (flags & DFA_DUMP_RULE_EXPR) {
- cerr << "rule: ";
- cerr << rulev[0];
- for (int i = 1; i < count; i++) {
- cerr << "\\x00";
- cerr << rulev[i];
- }
- cerr << " -> ";
- tree->dump(cerr);
- cerr << "\n\n";
- }
-
- if (rules->root)
- rules->root = new AltNode(rules->root, new CatNode(tree, accept));
- else
- rules->root = new CatNode(tree, accept);
-
- return 1;
+
+ if (rules->root)
+ rules->root =
+ new AltNode(rules->root, new CatNode(tree, accept));
+ else
+ rules->root = new CatNode(tree, accept);
+
+ return 1;
}
@@ -237,77 +258,79 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
* returns: buffer contain dfa tables, @size set to the size of the tables
* else NULL on failure
*/
-extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags)
+extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
+ dfaflags_t flags)
{
- char *buffer = NULL;
-
- label_nodes(rules->root);
- if (flags & DFA_DUMP_TREE) {
- cerr << "\nDFA: Expression Tree\n";
- rules->root->dump(cerr);
- cerr << "\n\n";
- }
-
- if (flags & DFA_CONTROL_TREE_SIMPLE) {
- rules->root = simplify_tree(rules->root, flags);
-
- if (flags & DFA_DUMP_SIMPLE_TREE) {
- cerr << "\nDFA: Simplified Expression Tree\n";
- rules->root->dump(cerr);
- cerr << "\n\n";
- }
- }
-
- stringstream stream;
- try {
- DFA dfa(rules->root, flags);
- if (flags & DFA_DUMP_UNIQ_PERMS)
- dfa.dump_uniq_perms("dfa");
-
- if (flags & DFA_CONTROL_MINIMIZE) {
- dfa.minimize(flags);
-
- if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
- dfa.dump_uniq_perms("minimized dfa");
- }
- if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
- dfa.remove_unreachable(flags);
-
- if (flags & DFA_DUMP_STATES)
- dfa.dump(cerr);
-
- if (flags & DFA_DUMP_GRAPH)
- dfa.dump_dot_graph(cerr);
-
- map<uchar, uchar> eq;
- if (flags & DFA_CONTROL_EQUIV) {
- eq = dfa.equivalence_classes(flags);
- dfa.apply_equivalence_classes(eq);
-
- if (flags & DFA_DUMP_EQUIV) {
- cerr << "\nDFA equivalence class\n";
- dump_equivalence_classes(cerr, eq);
- }
- } else if (flags & DFA_DUMP_EQUIV)
- cerr << "\nDFA did not generate an equivalence class\n";
-
- TransitionTable transition_table(dfa, eq, flags);
- if (flags & DFA_DUMP_TRANS_TABLE)
- transition_table.dump(cerr);
- transition_table.flex_table(stream, "");
- } catch (int error) {
- *size = 0;
- return NULL;
- }
-
- stringbuf *buf = stream.rdbuf();
-
- buf->pubseekpos(0);
- *size = buf->in_avail();
-
- buffer = (char *)malloc(*size);
- if (!buffer)
- return NULL;
- buf->sgetn(buffer, *size);
- return buffer;
+ char *buffer = NULL;
+
+ label_nodes(rules->root);
+ if (flags & DFA_DUMP_TREE) {
+ cerr << "\nDFA: Expression Tree\n";
+ rules->root->dump(cerr);
+ cerr << "\n\n";
+ }
+
+ if (flags & DFA_CONTROL_TREE_SIMPLE) {
+ rules->root = simplify_tree(rules->root, flags);
+
+ if (flags & DFA_DUMP_SIMPLE_TREE) {
+ cerr << "\nDFA: Simplified Expression Tree\n";
+ rules->root->dump(cerr);
+ cerr << "\n\n";
+ }
+ }
+
+ stringstream stream;
+ try {
+ DFA dfa(rules->root, flags);
+ if (flags & DFA_DUMP_UNIQ_PERMS)
+ dfa.dump_uniq_perms("dfa");
+
+ if (flags & DFA_CONTROL_MINIMIZE) {
+ dfa.minimize(flags);
+
+ if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
+ dfa.dump_uniq_perms("minimized dfa");
+ }
+ if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
+ dfa.remove_unreachable(flags);
+
+ if (flags & DFA_DUMP_STATES)
+ dfa.dump(cerr);
+
+ if (flags & DFA_DUMP_GRAPH)
+ dfa.dump_dot_graph(cerr);
+
+ map <uchar, uchar> eq;
+ if (flags & DFA_CONTROL_EQUIV) {
+ eq = dfa.equivalence_classes(flags);
+ dfa.apply_equivalence_classes(eq);
+
+ if (flags & DFA_DUMP_EQUIV) {
+ cerr << "\nDFA equivalence class\n";
+ dump_equivalence_classes(cerr, eq);
+ }
+ } else if (flags & DFA_DUMP_EQUIV)
+ cerr << "\nDFA did not generate an equivalence class\n";
+
+ TransitionTable transition_table(dfa, eq, flags);
+ if (flags & DFA_DUMP_TRANS_TABLE)
+ transition_table.dump(cerr);
+ transition_table.flex_table(stream, "");
+ }
+ catch(int error) {
+ *size = 0;
+ return NULL;
+ }
+
+ stringbuf *buf = stream.rdbuf();
+
+ buf->pubseekpos(0);
+ *size = buf->in_avail();
+
+ buffer = (char *)malloc(*size);
+ if (!buffer)
+ return NULL;
+ buf->sgetn(buffer, *size);
+ return buffer;
}
diff --git a/parser/libapparmor_re/aare_rules.h b/parser/libapparmor_re/aare_rules.h
index 027e21f..dabe152 100644
--- a/parser/libapparmor_re/aare_rules.h
+++ b/parser/libapparmor_re/aare_rules.h
@@ -29,21 +29,22 @@
extern "C" {
#endif
-struct aare_ruleset;
+ struct aare_ruleset;
-typedef struct aare_ruleset aare_ruleset_t;
+ typedef struct aare_ruleset aare_ruleset_t;
-aare_ruleset_t *aare_new_ruleset(int reverse);
-void aare_delete_ruleset(aare_ruleset_t *rules);
-int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
- uint32_t perms, uint32_t audit, dfaflags_t flags);
-int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
- uint32_t audit, int count, char **rulev, dfaflags_t flags);
-void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
-void aare_reset_matchflags(void);
+ aare_ruleset_t *aare_new_ruleset(int reverse);
+ void aare_delete_ruleset(aare_ruleset_t *rules);
+ int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+ uint32_t perms, uint32_t audit, dfaflags_t flags);
+ int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
+ uint32_t audit, int count, char **rulev,
+ dfaflags_t flags);
+ void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
+ dfaflags_t flags);
+ void aare_reset_matchflags(void);
#ifdef __cplusplus
}
#endif
-
-#endif /* __LIBAA_RE_RULES_H */
+#endif /* __LIBAA_RE_RULES_H */
--
1.7.1
More information about the AppArmor
mailing list