[apparmor] [PATCH 3/3] Make second minimization pass optional

John Johansen john.johansen at canonical.com
Tue Feb 14 17:57:28 UTC 2012


The removal of deny information is a one way operation, that can result
in a smaller dfa, but also results in a dfa that should not be used in
future operations because the deny rules from the precomputed dfa would
not get applied.

For now default filtering out of deny information to off, as it takes
extra time and seldom results in further state reduction.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/libapparmor_re/aare_rules.cc |    4 +++-
 parser/libapparmor_re/apparmor_re.h |    1 +
 parser/parser_main.c                |    2 ++
 3 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index 36ebb53..d03b4b6 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -271,7 +271,9 @@ extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
 				dfa.dump_uniq_perms("minimized dfa");
 		}
 
-		if (dfa.apply_and_clear_deny() && flags & DFA_CONTROL_MINIMIZE) {
+		if (flags & DFA_CONTROL_FILTER_DENY &&
+		    flags & DFA_CONTROL_MINIMIZE &&
+		    dfa.apply_and_clear_deny()) {
 			/* Do a second minimization pass as removal of deny
 			 * information has moved some states from accepting
 			 * to none accepting partitions
diff --git a/parser/libapparmor_re/apparmor_re.h b/parser/libapparmor_re/apparmor_re.h
index a2fe25e..d7b94be 100644
--- a/parser/libapparmor_re/apparmor_re.h
+++ b/parser/libapparmor_re/apparmor_re.h
@@ -26,6 +26,7 @@ typedef enum dfaflags {
   DFA_CONTROL_TREE_LEFT =	1 << 3,
   DFA_CONTROL_MINIMIZE =	1 << 4,
   DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
+  DFA_CONTROL_FILTER_DENY =	1 << 6,
   DFA_CONTROL_REMOVE_UNREACHABLE =	1 << 7,
   DFA_CONTROL_TRANS_HIGH =	1 << 8,
 
diff --git a/parser/parser_main.c b/parser/parser_main.c
index e9fbda5..04c4ee5 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -227,6 +227,8 @@ optflag_table_t optflag_table[] = {
 	{ 1, "minimize", "dfa state minimization", DFA_CONTROL_MINIMIZE },
 	{ 1, "hash-trans", "minimization - hash transitions during setup",
 	  DFA_CONTROL_MINIMIZE_HASH_TRANS },
+	{ 1, "filter-deny", "filter out deny information from final dfa",
+	  DFA_CONTROL_FILTER_DENY },
 	{ 1, "remove-unreachable", "dfa unreachable state removal",
 	  DFA_CONTROL_REMOVE_UNREACHABLE },
 	{ 0, "compress-small",
-- 
1.7.9




More information about the AppArmor mailing list