On Tue, Feb 14, 2012 at 09:57:27AM -0800, John Johansen wrote: > Previously permission information was thrown away early and permissions > where packed to their CHFA form at the start of DFA construction. Because > of this permissions hashing to setup the initial DFA partitions was > required as x transition conflicts, etc. could not be resolved. > > Move the mapping of permissions to CHFA construction, and track the full > permission set through DFA construction. This allows removal of the > perm_hashing hack, which prevented a full minimization from happening > in some DFAs. It also could result in x conflicts not being correctly > detected, and deny rules not being fully applied in some situations.
Does this mean the big "x" collision test is useless now? > Signed-off-by: John Johansen <[email protected]> Acked-by: Kees Cook <[email protected]> > @@ -462,6 +465,7 @@ void DFA::minimize(dfaflags_t flags) > << partitions.size() << "\tinit " << > partitions.size() > << " (accept " << accept_count << ")\r"; > } > + > /* perm_map is no longer needed so free the memory it is using. > * Don't remove - doing it manually here helps reduce peak memory usage. > */ The prior patch drops this whitespace. Probably best to decide one way or the other. :) -- Kees Cook -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
