[apparmor] [patches] parser stress fixups and var support
john.johansen at canonical.com
Mon Mar 28 23:01:34 UTC 2011
On 03/28/2011 03:50 AM, Steve Beattie wrote:
> Attached are two patches.
> Currently the default settings for the parser's stress testing are
> too aggressive for the parser, in that it generates too many profiles
> that contain too many rules for the parser to complete on a reasonably
> sized system.
> The first patch, apparmor-parser-stress_fixes.patch, attempts to
> address that by dropping the maximum number of rules each profile
> can have, as well as reducing the number of profiles to generate
> by default to 50. It also cleans up the emitted profiles a little,
> creates the profile names with the suffix .sd , fixes stress.sh to
> actually honor the -p (alternate parser) argument, fixes the profile
> flags generation to not generate duplicates flags, and fixes the file
> rules to always start with a constant randomly-generated prefix element
> (rather than a regex or variable) to greatly reduce the possibility
> of X dominance collisions in the parser.
> The second patch, apparmor-parser-stress_add_vars.patch, extends the
> stress profile generator to add variable definition and references.
> In order for the parser to process the emitted output correctly, the
> prior parser patch that I sent to the list needs to be applied.
> Eventually, the goal is to get the stress generator to support as much
> of the profile language syntax as possible. (This is a nice small fun
> project for someone who wants to hack around in some non-critical code
> to take on while learning what the policy language can support; yes,
> it's in ruby, but conversion to python is not out of the question.)
>  which is admittedly a historical relic suffix, but used elsewhere,
> and some of us set the apparmor.vim syntax config to apply to
> files with that suffix.
It looks good to me, not that I am any good with ruby
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor