diff options
author | John Johansen <john.johansen@canonical.com> | 2017-08-08 12:10:50 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 11:30:01 -0800 |
commit | 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 (patch) | |
tree | 5631c0d1cd8a4be2b6baf3a6bf786a403655c43f | |
parent | 074c1cd798cb0b481d7eaa749b64aa416563c053 (diff) |
apparmor: dfa add support for state differential encoding
State differential encoding can provide better compression for
apparmor policy, without having significant impact on match time.
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/include/match.h | 4 | ||||
-rw-r--r-- | security/apparmor/match.c | 26 |
2 files changed, 29 insertions, 1 deletions
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h index cd8aeab6ac57..e0de00bd16a8 100644 --- a/security/apparmor/include/match.h +++ b/security/apparmor/include/match.h @@ -40,6 +40,7 @@ */ #define YYTH_MAGIC 0x1B5E783D +#define YYTH_FLAG_DIFF_ENCODE 1 struct table_set_header { u32 th_magic; /* YYTH_MAGIC */ @@ -164,4 +165,7 @@ static inline void aa_put_dfa(struct aa_dfa *dfa) kref_put(&dfa->count, aa_dfa_free_kref); } +#define MATCH_FLAG_DIFF_ENCODE 0x80000000 +#define MARK_DIFF_ENCODE 0x40000000 + #endif /* __AA_MATCH_H */ diff --git a/security/apparmor/match.c b/security/apparmor/match.c index aeac68c58689..70cdcb3c3b25 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -185,7 +185,8 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) if (flags & DFA_FLAG_VERIFY_STATES) { for (i = 0; i < state_count; i++) { - if (DEFAULT_TABLE(dfa)[i] >= state_count) + if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && + (DEFAULT_TABLE(dfa)[i] >= state_count)) goto out; if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { printk(KERN_ERR "AppArmor DFA next/check upper " @@ -202,6 +203,24 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) } } + /* Now that all the other tables are verified, verify diffencoding */ + if (flags & DFA_FLAG_VERIFY_STATES) { + size_t j, k; + + for (i = 0; i < state_count; i++) { + for (j = i; + (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) && + !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE); + j = k) { + k = DEFAULT_TABLE(dfa)[j]; + if (j == k) + goto out; + if (k < j) + break; /* already verified */ + BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE; + } + } + } error = 0; out: return error; @@ -274,6 +293,9 @@ struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags) goto fail; dfa->flags = ntohs(*(__be16 *) (data + 12)); + if (dfa->flags != 0 && dfa->flags != YYTH_FLAG_DIFF_ENCODE) + goto fail; + data += hsize; size -= hsize; @@ -335,6 +357,8 @@ do { \ unsigned int pos = base_idx(b) + (C); \ if ((check)[pos] != (state)) { \ (state) = (def)[(state)]; \ + if (b & MATCH_FLAG_DIFF_ENCODE) \ + continue; \ break; \ } \ (state) = (next)[pos]; \ |