[apparmor] [patch] Improve validate_profile_mode() and drop PROFILE_MODE_NT_RE

Steve Beattie steve at nxnw.org
Mon Jul 6 08:03:12 UTC 2015

On Sun, Jul 05, 2015 at 03:53:20PM +0200, Christian Boltz wrote:
> the only difference between PROFILE_MODE_RE and PROFILE_MODE_NT_RE 
> was that the latter one additionally allowed 'x', which looks wrong.
> (Standalone 'x' is ok for deny rules, but those are handled by
> This patch completely drops PROFILE_MODE_NT_RE and the related code in
> validate_profile_mode().
> Also wrap the two remaining regexes in '^(...)+$' instead of doing it
> inside validate_profile_mode(). This makes the code more readable and
> also results in a 2% performance improvement when parsing profiles.

I'm surprised that it was noticeable. Python supposedly caches re match
patterns, so that repeatedly compiling over and over isn't supposed to
take a significant amount of time. Though repeatedly constructing new
strings over and over will take time.

> I propose this patch for trunk and 2.9, even if it's not as important
> for 2.9 as the previous patch.
> [ 64-improve-validate-profile-mode.diff ]

Acked-by: Steve Beattie <steve at nxnw.org> for trunk and 2.9.

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150706/7b0ba298/attachment.pgp>

More information about the AppArmor mailing list