The removal of deny information is a one way operation, that can result in a smaller dfa, but also results in a dfa that should not be used in future operations because the deny rules from the precomputed dfa would not get applied.
For now default filtering out of deny information to off, as it takes extra time and seldom results in further state reduction. Signed-off-by: John Johansen <[email protected]> --- parser/libapparmor_re/aare_rules.cc | 4 +++- parser/libapparmor_re/apparmor_re.h | 1 + parser/parser_main.c | 2 ++ 3 files changed, 6 insertions(+), 1 deletions(-) diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc index 36ebb53..d03b4b6 100644 --- a/parser/libapparmor_re/aare_rules.cc +++ b/parser/libapparmor_re/aare_rules.cc @@ -271,7 +271,9 @@ extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfa.dump_uniq_perms("minimized dfa"); } - if (dfa.apply_and_clear_deny() && flags & DFA_CONTROL_MINIMIZE) { + if (flags & DFA_CONTROL_FILTER_DENY && + flags & DFA_CONTROL_MINIMIZE && + dfa.apply_and_clear_deny()) { /* Do a second minimization pass as removal of deny * information has moved some states from accepting * to none accepting partitions diff --git a/parser/libapparmor_re/apparmor_re.h b/parser/libapparmor_re/apparmor_re.h index a2fe25e..d7b94be 100644 --- a/parser/libapparmor_re/apparmor_re.h +++ b/parser/libapparmor_re/apparmor_re.h @@ -26,6 +26,7 @@ typedef enum dfaflags { DFA_CONTROL_TREE_LEFT = 1 << 3, DFA_CONTROL_MINIMIZE = 1 << 4, DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5, + DFA_CONTROL_FILTER_DENY = 1 << 6, DFA_CONTROL_REMOVE_UNREACHABLE = 1 << 7, DFA_CONTROL_TRANS_HIGH = 1 << 8, diff --git a/parser/parser_main.c b/parser/parser_main.c index e9fbda5..04c4ee5 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -227,6 +227,8 @@ optflag_table_t optflag_table[] = { { 1, "minimize", "dfa state minimization", DFA_CONTROL_MINIMIZE }, { 1, "hash-trans", "minimization - hash transitions during setup", DFA_CONTROL_MINIMIZE_HASH_TRANS }, + { 1, "filter-deny", "filter out deny information from final dfa", + DFA_CONTROL_FILTER_DENY }, { 1, "remove-unreachable", "dfa unreachable state removal", DFA_CONTROL_REMOVE_UNREACHABLE }, { 0, "compress-small", -- 1.7.9 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
