[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] [PATCH 1/4] switch away from doing an individual accept node for each perm bit
From: Steve Beattie <steve () nxnw ! org>
Date: 2015-06-24 6:44:58
Message-ID: 20150624064458.GL16138 () nxnw ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Mon, Jun 22, 2015 at 10:59:59AM -0700, John Johansen wrote:
> accept nodes per perm bit where done from the very begining in a
> false belief that they would help produce minimized dfas because
> a nfa states could share partial overlapping permissions.
>
> In reality they make tree factoring harder, reduce in longer nfa
> state sets during dfa construction and do not result in a minimized
> dfa.
>
> Moving to unique permission sets, allows us to minimize the number
> of nodes sets, and helps reduce recreating each set type multiple
> times during the dfa construction.
>
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
> parser/libapparmor_re/aare_rules.cc | 167 ++++++++++++++----------------------
> 1 file changed, 65 insertions(+), 102 deletions(-)
>
> diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
> index d13c719..0c8aa82 100644
> --- a/parser/libapparmor_re/aare_rules.cc
> +++ b/parser/libapparmor_re/aare_rules.cc
> @@ -35,13 +35,75 @@
> #include "../immunix.h"
>
>
> +class UniquePerm {
> +public:
> + bool deny;
> + bool exact_match;
> + uint32_t perms;
> + uint32_t audit;
> +
> + bool operator<(UniquePerm const &rhs)const
> + {
> + if (deny == rhs.deny) {
> + if (exact_match == rhs.exact_match) {
> + if (perms == rhs.perms)
> + return audit < rhs.audit;
> + return perms < rhs.perms;
> + }
> + return exact_match;
> + }
> + return deny;
> + }
> +};
> +
> +class UniquePermsCache {
> +public:
> + typedef map<UniquePerm, Node*> UniquePermMap;
> + typedef UniquePermMap::iterator iterator;
> + UniquePermMap nodes;
> +
> + UniquePermsCache(void) { };
> + ~UniquePermsCache() { clear(); }
> +
> + void clear()
> + {
> + for (iterator i = nodes.begin(); i != nodes.end(); i++) {
> + delete i->second;
> + }
> + nodes.clear(void);
This line prevents compilation from succeeding, it should just be
"nodes.clear();'. However, when this class is moved in a later patch,
it's fixed up correctly.
Otherwise, looks good to me. Acked-by: Steve Beattie <steve@nxnw.org>.
Thanks.
--
Steve Beattie
<sbeattie@ubuntu.com>
http://NxNW.org/~steve/
["signature.asc" (application/pgp-signature)]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic