lp:~jjohansen/+junk/apparmor_dbus_patches

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

1871. By John Johansen on 2011-12-16

patch parser and libapparmor to support dbus mediation

1870. By John Johansen on 2011-12-16

Move rlimit start condition and rules up to be with
 other start conditions.

The rlimit start condition was separating different rules of the base
set making the lexer grammer harder to read than necessary.

Signed-off-by: John Johansen <email address hidden>

1869. By John Johansen on 2011-12-15

update version number to indicate we are in a dev version, using the
proposed .99 versioning to fix the version problem we had with using
alpha, beta, etc. because apt and rpm have different version comparisons

1868. By John Johansen on 2011-12-15

To reduce memory overhead of dfa creation convert to using a Node Vector
instead of a NodeSet.

We need to store sets of Nodes, to compute the dfa but the C++ set is
not the most efficient way to do this as, it has a has a lot of overhead
just to store a single pointer.

Instead we can use an array of tightly packed pointers + a some header
information. We can do this because once the Set is finalized it will
not change, we just need to be able to reference and compare to it.

We don't use C++ Vectors as they have more overhead than a plain array
and we don't need their additional functionality.

We only replace the use of hashedNodeSets for non-accepting states as
these sets are only used in the dfa construction, and dominate the memory
usage. The accepting states still may need to be modified during
minimization and there are only a small number of entries (20-30), so
it does not make sense to convert them.

Also introduce a NodeVec cache that serves the same purpose as the NodeSet
cache that was introduced earlier.

This is not abstracted this out as nicely as might be desired but avoiding
the use of a custom iterator and directly iterating on the Node array
allows for a small performance gain, on larger sets.

This patch reduces the amount of heap memory used by dfa creation by about
4x - overhead. So for small dfas the savings is only 2-3x but on larger
dfas the savings become more and more pronounced.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Kees Cook <email address hidden>

1867. By John Johansen on 2011-12-15

Split the nodeset used in computing the dfa into two sets, accepting and
non-accepting, and have the proto-state use them.

To reduce memory overhead each set gains its own "cache" that make sure
there is only a single instance of each NodeSet generated. And since
we have a cache abstraction, move relavent stats into it.

Also refactor code slightly to make caches and work_queue etc, DFA member
variables instead of passing them as parameters.

The split + caching results in a small reduction in memory use as the
cost of ProtoState + Caching is less than the redundancy that is eliminated.
However this results in a small decrease in performance.

Sorry I know this really should have been split into multiple patches
but the patch evolved and I got lazy and decided to just not bother
splitting it.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Kees Cook <email address hidden>

1866. By John Johansen on 2011-12-15

Replace usage of NodeSet with ProtoState in dfa creation.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Kees Cook <email address hidden>

1865. By John Johansen on 2011-12-15

Add a new class hashedNodeSet.

It is the functional equivalent of ProtoState. We do this to provide a
new level of abstraction that ProtoState can leverage, when the node types
are split.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Kees Cook <email address hidden>

1864. By John Johansen on 2011-12-15

Now that we have a proper class we don't need a functor to do comparisons,
we can fold it into the classes operator<.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Kees Cook <email address hidden>

1863. By John Johansen on 2011-12-15

Begin preparing to split accept nodes and non-accept nodes.

Create a new ProtoState class that will encapsulate the split, but for
this patch it will just contain what was done previously with NodeSet

Signed-off-by: John Johansen <email address hidden>

1862. By John Johansen on 2011-12-15

Rename compressed_hfa.{c,h} and TransitionTable within them to chfa. This
is done to be clear what TransitionTable is, as we will then add matching
capabilities. Renaming the files is just to make them consistent with
the class in the file.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Kees Cook <email address hidden>