[apparmor] [PATCH 05/11] Fix dfa minimization to deal with exec conflicts
John Johansen
john.johansen at canonical.com
Thu Mar 8 18:57:51 UTC 2012
On 03/08/2012 10:01 AM, Steve Beattie wrote:
> On Wed, Mar 07, 2012 at 06:17:24AM -0800, John Johansen wrote:
>> Minimization was failing because it was too agressive. It was minimizing
>> as if there was only 1 accept condition. This allowed it to remove more
>> states but at the cost of loosing unique permission sets, they where
>> being combined into single commulative perms. This means that audit,
>> deny, xtrans, ... info on one path would be applied to all other paths
>> that it was combined with during minimization.
>>
>> This means that we need to retain the unique accept states, not allowing
>> them to be combined into a single state. To do this we put each unique
>> permission set into its own partition at the start of minimization.
>>
>> The states within a partition have the same permissions and can be combined
>> within the other states in the partition as the loss of unique path
>> information is will not result in a conflict.
>>
>> This is similar to what perm hashing used to do but deny information is
>> still being correctly applied and carried.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> Acked-By: Steve Beattie <sbeattie at ubuntu.com>
>
> (I'll try to think about how we can improve the infrastructure for
> the added testcases.)
>
Well these test cases could be better by looking at the actual permissions
And we will get to the point where we have unit testing on the DFA library,
where we can do things like cross validation of HFA and cHFA for matches
etc.
More information about the AppArmor
mailing list