lp://staging/~xnox/apparmor/bison-3.0
- Get this branch:
- bzr branch lp://staging/~xnox/apparmor/bison-3.0
Branch merges
- Dimitri John Ledkov (community): Disapprove
- AppArmor Developers: Pending requested
-
Diff: 39 lines (+7/-5)1 file modifiedparser/libapparmor_re/parse.y (+7/-5)
Branch information
Recent revisions
- 2293. By Christian Boltz
-
samba (nmbd and smbd) need to create /var/run/samba and /var/cache/samba
at startup (at least on systems where /var/run is on a tmpfs)References: https:/
/bugzilla. novell. com/show_ bug.cgi? id=856651 Acked-by: Steve Beattie <email address hidden> for trunk and 2.8. Thanks!
- 2292. By Tyler Hicks
-
profiles: rw file perms are now needed on AF_UNIX socket files
The AppArmor kernel now checks for both read and write permissions when
a process calls connect() on a UNIX domain socket.The patch updates four abstractions that were found to be needing
changes after the change in AF_UNIX kernel mediation.Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2291. By Tyler Hicks
-
profiles: Create D-Bus abstraction for the accessibility bus
The accessibility bus uses an abstract socket, so there hasn't been a
need for an accessibility bus abstraction in the past. Now that D-Bus
mediation is supported, an abstraction becomes a useful place to put
accessibility bus D-Bus rules.This patch follows the lead of the dbus and dbus-session abstraction by
granting full access to the accessibility bus.Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2290. By Tyler Hicks
-
profiles: Allow full D-Bus access in system and session abstractions
Before D-Bus mediation support was added to AppArmor, the dbus and
dbus-session abstractions granted full access to the system and session
buses, respectively.In order to continue granting full access to those buses, bus-specific
D-Bus mediation rules need to be added to the abstractions.Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2289. By Steve Beattie
-
parser: remove now unused clone_and_chain functions
With the previous patch to switch to using alternations for variable
expansion, the clone_and_chain set of functions are no longer needed
and no longer need to be passed around. This patch removes them.
(I kept this patch separate to keep the previous patch smaller and more
easily reviewed.)Signed-off-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2288. By Steve Beattie
-
parser: convert var expansion to use alternations
This patch converts the parser's variable expansion from adding new
entries for each additional variable value to incorporating an
alternation that includes all the values for the variable; e.g. given:@{BINS}=/bin /usr/bin /sbin /usr/sbin
@{BINS}/binary ix,rather than expanding to exntries for
/bin/binary
/usr/bin/binary
/sbin/binary
/usr/sbin/binaryone entry would remain that looks like:
{/bin,
/usr/bin, /sbin,/ usr/sbin} /binary One complication with this patch is that we try to prevent mistakes for
our users with variable expansion around '/'s; it's common for people to
write profiles that contain things like:@{BAR}=/bingo/*/ /bango/
/foo/@{BAR}/bazWe already have a post-processing step that walks entries looking
for multiple sequences of '/'s and filters them into single
'/' which worked when creating new entries for each variable
expansion. Converting to alternation expansion breaks this filtering,
so code is added that removes leading and trailing slashes in variable
values in the expansion if the character immediately preceding or
following the variable is also a slash.The intent behind this is to reduce the amount of memory allocations
and structure walking that needed to occur in when converting from the
entry strings to the back end nodes. Examples with real world profiles
showed performance improvements ranging from 2.5% to 10%. However,
because the back end operations are sensitive to the front end inputs,
it is possible for worse results to occur; for example, it takes the
simple_tests/vars/ vars_stress_ 0[123]. sd tests significantly longer to
complete after this patch is applied (vars_stress_03.sd in particular
takes ~23 times longer). An initial analysis of profiling output in
this negative case looks like it causes the tree simplification in
the back end to do more work for unknown reasons.On the other hand, the test simple_
tests/vars/ vars_dbus_ 9.sd
(introduced in "[patch 09/12] parser: more dbus variable testcases")
takes ~1 sec to complete on my laptop before this patch, and roughly
0.01s with this patch applied.(One option would be to keep the "expand entries" approach as an
alternative, but I couldn't come up with a good heuristic for when
to use it instead.)Signed-off-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2287. By Steve Beattie
-
parser: convert process_mnt_entry's typebuf to std::string
This patch addresses the FIXMEs from the last patch by converting
process_mnt_entry's typebuf from a char[] to std::string. As a side
effect, the code in build_list_val_expr( ) is greatly simplified. Signed-off-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2286. By Steve Beattie
-
parser: remove length restriction in convert_
aaregex_ to_pcre usage This patch removes the string length limit in convert_
aaregex_ to_pcre( )
usage. One of the benefits to moving to C++ is the ability to use
std::strings, which dynamically resize themselves. While it's a large
patch, a non-trivial amount is due to needing to get a char * string
back out via the c_str() method.The unit tests are modified to include checks to ensure that
convert_aaregex_ to_pcre only appends to the passed pcre string,
it never resets it.As the test case with overlong alternations added in the previous
patch now passes, the TODO status is removed from it.(Note: there's a couple of FIXME comments related to converting typebuf
to std::string that are added by this patch that are addressed in the
next patch. I kept that conversion separate to try to reduce the size
of this patch a little.)Signed-off-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden> - 2285. By Steve Beattie
-
parser: add large number of alternations test case
This patch adds a test case with an extremely large set of alternations.
It is marked TODO, because it fails with the current parser due to
strings used in convert_aaregex_ to_pcre( ) being limited to (roughly)
PATH_MAX.While contrived, it is possible to have alternations that are longer
than PATH_MAX that always match paths that are shorter than PATH_MAX.Signed-off-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/apparmor/2.12