[apparmor] [PATCH 2/4] Move the permission mapp into the rule set

Mon Jun 22 18:00:00 UTC 2015

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/libapparmor_re/aare_rules.cc | 68 -------------------------------------
 parser/libapparmor_re/aare_rules.h  | 68 ++++++++++++++++++++++++++++++++++---
 parser/parser.h                     |  2 --
 parser/parser_main.c                |  1 -
 parser/parser_regex.c               |  7 ----
 5 files changed, 64 insertions(+), 82 deletions(-)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index 0c8aa82..0f265c7 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -35,69 +35,6 @@
 #include "../immunix.h"
 
 
-class UniquePerm {
-public:
-	bool deny;
-	bool exact_match;
-	uint32_t perms;
-	uint32_t audit;
-
-	bool operator<(UniquePerm const &rhs)const
-	{
-		if (deny == rhs.deny) {
-			if (exact_match == rhs.exact_match) {
-				if (perms == rhs.perms)
-					return audit < rhs.audit;
-				return perms < rhs.perms;
-			}
-			return exact_match;
-		}
-		return deny;
-	}
-};
-
-class UniquePermsCache {
-public:
-	typedef map<UniquePerm, Node*> UniquePermMap;
-	typedef UniquePermMap::iterator iterator;
-	UniquePermMap nodes;
-
-	UniquePermsCache(void) { };
-	~UniquePermsCache() { clear(); }
-
-	void clear()
-	{
-		for (iterator i = nodes.begin(); i != nodes.end(); i++) {
-			delete i->second;
-		}
-		nodes.clear(void);
-	}
-
-	Node *insert(bool deny, uint32_t perms, uint32_t audit,
-		     bool exact_match)
-	{
-		UniquePerm tmp = { deny, exact_match, perms, audit };
-		iterator res = nodes.find(tmp);
-		if (res == nodes.end()) {
-			Node *node;
-			if (deny)
-				node = new DenyMatchFlag(perms, audit);
-			else if (exact_match)
-				node = new ExactMatchFlag(perms, audit);
-			else
-				node = new MatchFlag(perms, audit);
-			pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));
-			if (val.second == false)
-				return val.first->second;
-			return node;
-		}
-		return res->second;
-	}
-};
-
-static UniquePermsCache unique_perms;
-
-
 aare_rules::~aare_rules(void)
 {
 	if (root)
@@ -112,11 +49,6 @@ bool aare_rules::add_rule(const char *rule, int deny, uint32_t perms,
 	return add_rule_vec(deny, perms, audit, 1, &rule, flags);
 }
 
-void aare_reset_matchflags(void)
-{
-	unique_perms.clear();
-}
-
 void aare_rules::add_to_rules(Node *tree, Node *perms)
 {
 	if (reverse)
diff --git a/parser/libapparmor_re/aare_rules.h b/parser/libapparmor_re/aare_rules.h
index ba32662..30ae27c 100644
--- a/parser/libapparmor_re/aare_rules.h
+++ b/parser/libapparmor_re/aare_rules.h
@@ -26,14 +26,76 @@
 #include "apparmor_re.h"
 #include "expr-tree.h"
 
+class UniquePerm {
+public:
+	bool deny;
+	bool exact_match;
+	uint32_t perms;
+	uint32_t audit;
+
+	bool operator<(UniquePerm const &rhs)const
+	{
+		if (deny == rhs.deny) {
+			if (exact_match == rhs.exact_match) {
+				if (perms == rhs.perms)
+					return audit < rhs.audit;
+				return perms < rhs.perms;
+			}
+			return exact_match;
+		}
+		return deny;
+	}
+};
+
+class UniquePermsCache {
+public:
+	typedef map<UniquePerm, Node*> UniquePermMap;
+	typedef UniquePermMap::iterator iterator;
+	UniquePermMap nodes;
+
+	UniquePermsCache(void) { };
+	~UniquePermsCache() { clear(); }
+
+	void clear()
+	{
+		for (iterator i = nodes.begin(); i != nodes.end(); i++) {
+			delete i->second;
+		}
+		nodes.clear();
+	}
+
+	Node *insert(bool deny, uint32_t perms, uint32_t audit,
+		     bool exact_match)
+	{
+		UniquePerm tmp = { deny, exact_match, perms, audit };
+		iterator res = nodes.find(tmp);
+		if (res == nodes.end()) {
+			Node *node;
+			if (deny)
+				node = new DenyMatchFlag(perms, audit);
+			else if (exact_match)
+				node = new ExactMatchFlag(perms, audit);
+			else
+				node = new MatchFlag(perms, audit);
+			pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));
+			if (val.second == false)
+				return val.first->second;
+			return node;
+		}
+		return res->second;
+	}
+};
+
 class aare_rules {
 	Node *root;
 	void add_to_rules(Node *tree, Node *perms);
+	UniquePermsCache unique_perms;
+	
 public:
 	int reverse;
 	int rule_count;
-	aare_rules(): root(NULL), reverse(0), rule_count(0) { };
-	aare_rules(int reverse): root(NULL), reverse(reverse), rule_count(0) { };
+	aare_rules(): root(NULL), unique_perms(), reverse(0), rule_count(0) { };
+	aare_rules(int reverse): root(NULL), unique_perms(), reverse(reverse), rule_count(0) { };
 	~aare_rules();
 
 	bool add_rule(const char *rule, int deny, uint32_t perms,
@@ -43,6 +105,4 @@ public:
 	void *create_dfa(size_t *size, dfaflags_t flags);
 };
 
-void aare_reset_matchflags(void);
-
 #endif				/* __LIBAA_RE_RULES_H */
diff --git a/parser/parser.h b/parser/parser.h
index 2fafb91..dfd195d 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -361,8 +361,6 @@ extern int clear_and_convert_entry(std::string& buffer, char *entry);
 extern int process_regex(Profile *prof);
 extern int post_process_entry(struct cod_entry *entry);
 
-extern void reset_regex(void);
-
 extern int process_policydb(Profile *prof);
 
 extern int process_policy_ents(Profile *prof);
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 738acfc..616c1ce 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -651,7 +651,6 @@ void reset_parser(const char *filename)
 	free_aliases();
 	free_symtabs();
 	free_policies();
-	reset_regex();
 	reset_include_stack(filename);
 }
 
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 6a0f4d5..a138b43 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -779,8 +779,6 @@ int process_profile_policydb(Profile *prof)
 		prof->policy.rules = NULL;
 	}
 
-	aare_reset_matchflags();
-
 	error = 0;
 
 out:
@@ -790,11 +788,6 @@ out:
 	return error;
 }
 
-void reset_regex(void)
-{
-	aare_reset_matchflags();
-}
-
 #ifdef UNIT_TEST
 
 #include "unit_test.h"
-- 
2.1.4


