#
98b824ff |
|
28-Apr-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: refcount the pdb With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
33fc95d8 |
|
17-Jan-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: preparse for state being more than just an integer Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
0df34a64 |
|
30-Jul-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: add outofband transition and use it in xattr match There are cases where the a special out of band transition that can not be triggered by input is useful in separating match conditions in the dfa encoding. The null_transition is currently used as an out of band transition for match conditions that can not contain a \0 in their input but apparmor needs an out of band transition for cases where the match condition is allowed to contain any input character. Achieve this by allowing for an explicit transition out of input range that can only be triggered by code. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
c6596969 |
|
31-Aug-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: add a valid state flags check Add a check to ensure only known state flags are set on each state in the dfa. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
136db994 |
|
31-May-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: increase left match history buffer size There have been cases reported where a history buffer size of 8 was not enough to resolve conflict overlaps. Increase the buffer to and get rid of the size element which is currently just storing the constant WB_HISTORY_SIZE. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b886d83c |
|
01-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
21f60661 |
|
18-Nov-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: improve overlapping domain attachment resolution Overlapping domain attachments using the current longest left exact match fail in some simple cases, and with the fix to ensure consistent behavior by failing unresolvable attachments it becomes important to do a better job. eg. under the current match the following are unresolvable where the alternation is clearly a better match under the most specific left match rule. /** /{bin/,}usr/ Use a counting match that detects when a loop in the state machine is enter, and return the match count to provide a better specific left match resolution. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
031dcc8f |
|
08-Aug-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: dfa add support for state differential encoding State differential encoding can provide better compression for apparmor policy, without having significant impact on match time. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
6e0654d2 |
|
06-Sep-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: use the dfa to do label parse string splitting The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
cf65fabc |
|
06-Sep-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add first substr match to dfa Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
e6e8bf41 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix restricted endian type warnings for dfa unpack Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
11c236b8 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add a default null dfa Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
293a4886 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add get_dfa() fn The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
15756178 |
|
02-Jun-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: add missing id bounds check on dfa verification Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
180a6f59 |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: move perm defines into policy_unpack Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
|
#
8e4ff109 |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: misc cleanup of match tidying up comments, includes and defines Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
0fe1212d |
|
16-Feb-2012 |
John Johansen <john.johansen@canonical.com> |
AppArmor: Update dfa matching routines. Update aa_dfa_match so that it doesn't result in an input string being walked twice (once to get its length and another time to match) Add a single step functions aa_dfa_next Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
57cc7215 |
|
09-Jan-2011 |
Alexey Dobriyan <adobriyan@gmail.com> |
headers: kobject.h redux Remove kobject.h from files which don't need it, notably, sched.h and fs.h. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
#
b595076a |
|
01-Nov-2010 |
Uwe Kleine-König <u.kleine-koenig@pengutronix.de> |
tree-wide: fix comment/printk typos "gadget", "through", "command", "maintain", "maintain", "controller", "address", "between", "initiali[zs]e", "instead", "function", "select", "already", "equal", "access", "management", "hierarchy", "registration", "interest", "relative", "memory", "offset", "already", Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
#
e06f75a6 |
|
29-Jul-2010 |
John Johansen <john.johansen@canonical.com> |
AppArmor: dfa match engine A basic dfa matching engine based off the dfa engine in the Dragon Book. It uses simple row comb compression with a check field. This allows AppArmor to do pattern matching in linear time, and also avoids stack issues that an nfa based engine may have. The dfa engine uses a byte based comparison, with all values being valid. Any potential character encoding are handled user side when the dfa tables are created. By convention AppArmor uses \0 to separate two dependent path matches since \0 is not a valid path character (this is done in the link permission check). The dfa tables are generated in user space and are verified at load time to be internally consistent. There are several future improvements planned for the dfa engine: * The dfa engine may be converted to a hybrid nfa-dfa engine, with a fixed size limited stack. This would allow for size time tradeoffs, by inserting limited nfa states to help control state explosion that can occur with dfas. * The dfa engine may pickup the ability to do limited dynamic variable matching, instead of fixing all variables at policy load time. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|