[apparmor] [PATCH 1/4] switch away from doing an individual accept node for each perm bit

Steve Beattie steve at nxnw.org
Wed Jun 24 06:44:58 UTC 2015 

On Mon, Jun 22, 2015 at 10:59:59AM -0700, John Johansen wrote:
> accept nodes per perm bit where done from the very begining in a
> false belief that they would help produce minimized dfas because
> a nfa states could share partial overlapping permissions.
> 
> In reality they make tree factoring harder, reduce in longer nfa
> state sets during dfa construction and do not result in a minimized
> dfa.
> 
> Moving to unique permission sets, allows us to minimize the number
> of nodes sets, and helps reduce recreating each set type multiple
> times during the dfa construction.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/libapparmor_re/aare_rules.cc | 167 ++++++++++++++----------------------
>  1 file changed, 65 insertions(+), 102 deletions(-)
> 
> diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
> index d13c719..0c8aa82 100644
> --- a/parser/libapparmor_re/aare_rules.cc
> +++ b/parser/libapparmor_re/aare_rules.cc
> @@ -35,13 +35,75 @@
>  #include "../immunix.h"
>  
>  
> +class UniquePerm {
> +public:
> +	bool deny;
> +	bool exact_match;
> +	uint32_t perms;
> +	uint32_t audit;
> +
> +	bool operator<(UniquePerm const &rhs)const
> +	{
> +		if (deny == rhs.deny) {
> +			if (exact_match == rhs.exact_match) {
> +				if (perms == rhs.perms)
> +					return audit < rhs.audit;
> +				return perms < rhs.perms;
> +			}
> +			return exact_match;
> +		}
> +		return deny;
> +	}
> +};
> +
> +class UniquePermsCache {
> +public:
> +	typedef map<UniquePerm, Node*> UniquePermMap;
> +	typedef UniquePermMap::iterator iterator;
> +	UniquePermMap nodes;
> +
> +	UniquePermsCache(void) { };
> +	~UniquePermsCache() { clear(); }
> +
> +	void clear()
> +	{
> +		for (iterator i = nodes.begin(); i != nodes.end(); i++) {
> +			delete i->second;
> +		}
> +		nodes.clear(void);

This line prevents compilation from succeeding, it should just be
"nodes.clear();'. However, when this class is moved in a later patch,
it's fixed up correctly.

Otherwise, looks good to me. Acked-by: Steve Beattie <steve at nxnw.org>.
Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150623/ab92bbd8/attachment.pgp>

More information about the AppArmor mailing list