[apparmor] [PATCH 2/3] Track full permission set through all stages of DFA construction.
Kees Cook
kees at ubuntu.com
Tue Feb 14 19:42:24 UTC 2012
On Tue, Feb 14, 2012 at 09:57:27AM -0800, John Johansen wrote:
> Previously permission information was thrown away early and permissions
> where packed to their CHFA form at the start of DFA construction. Because
> of this permissions hashing to setup the initial DFA partitions was
> required as x transition conflicts, etc. could not be resolved.
>
> Move the mapping of permissions to CHFA construction, and track the full
> permission set through DFA construction. This allows removal of the
> perm_hashing hack, which prevented a full minimization from happening
> in some DFAs. It also could result in x conflicts not being correctly
> detected, and deny rules not being fully applied in some situations.
Does this mean the big "x" collision test is useless now?
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Kees Cook <kees at ubuntu.com>
> @@ -462,6 +465,7 @@ void DFA::minimize(dfaflags_t flags)
> << partitions.size() << "\tinit " << partitions.size()
> << " (accept " << accept_count << ")\r";
> }
> +
> /* perm_map is no longer needed so free the memory it is using.
> * Don't remove - doing it manually here helps reduce peak memory usage.
> */
The prior patch drops this whitespace. Probably best to decide one way or
the other. :)
--
Kees Cook
More information about the AppArmor
mailing list