1. 11 Nov, 2018 1 commit
  2. 09 Nov, 2018 6 commits
    • John Johansen's avatar
      parser: limit the number of passes expr tree simplification does · 2809060b
      John Johansen authored
      Expr tree simplification makes multiple passes at simplifying the
      expression tree trying to use fatoring rules and heuristics to achieve
      the minimum tree, so that dfa construction has fewer nodes to deal
      Unfortunately expr tree simplification can slow some policy compiles,
      dependent on the type of expressions generated, down, and even worse
      is currently subject to never terminating on some expressions as the
      left and right passes keep undoing each others work.
      Limiting the number of passes that expr tree simplification does can
      provide most of its benefits (later passes generally have diminishing
      returns), reduces the overhead it has on simple policy where it is of
      little benefit, and insures that simplifications can not get stuck in
      an infinite loop due to the left and right passes ping-ponging on each
      others factoring.
      Note: This also results in a performance improvement in evince
      compiles, and general policy compiles because it achieves a better
      balance between time spent on simplifying the tree to remove nodes and
      time the dfa build requires to build with extra nodes and then
      eliminate with minimization.
      $ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
      real	0m2.744s
      user	0m2.714s
      sys	0m0.028s
      $ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
      real	0m2.992s
      user	0m2.979s
      sys	0m0.012s
      $ time apparmor_parser -QT /etc/apparmor.d/
      real	0m3.568s
      user	0m14.529s
      sys	0m0.152s
      $ time apparmor_parser -QT /etc/apparmor.d/
      real	0m3.741s
      user	0m15.400s
      sys	0m0.179s
      PR: !246Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: 's avatarSeth Arnold <seth.arnold@canonical.com>
    • John Johansen's avatar
      Merge branch 'cboltz-eventd' into 'master' · 3318f660
      John Johansen authored
      Remove traces of aa-eventd
      aa-eventd and its initscripts have been moved to deprecated/ in 2014 and didn't get any serious updates for several more years, so it's most probably useless and/or broken nowadays.
      This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE variables in rc.apparmor.functions anymore.
      (In theory I could move these variables to deprecated/rc.aaeventd.* - but in practise that sounds more than superfluous ;-)
      PR: !263Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
    • Christian Boltz's avatar
      Remove traces of aa-eventd · 3a89e981
      Christian Boltz authored
      aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
      didn't get any serious updates for several more years, so it's most
      probably useless and/or broken nowadays.
      This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
      variables in rc.apparmor.functions anymore.
    • John Johansen's avatar
      remove subdomainfs support · 94ff870f
      John Johansen authored
      It has been over 10 years since transition from subdomainfs to
      using securityfs. Lets drop this deprecated code.
      PR: !258Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: seth.arnold@canonical.com
    • John Johansen's avatar
      rc.apparmor.functions: drop module loading support · 0d5ab43d
      John Johansen authored
      The apparmor kernel "module" has not been a loadable module for more
      than a decade, it must be built into the kernel and due configuration
      requirements it will never go back to being a loadable module.
      Remove the long unfunctioning load_module support from the init script.
      PR: !257Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: seth.arnold@canonical.com
    • John Johansen's avatar
      Merge branch 'use-sys' into 'master' · e657ca67
      John Johansen authored
      Use @{sys} tunable in profiles and abstractions
      Commit aa065287 made @{sys} tunable available by default.
      Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var).
      Closes LP#1728551
      PR: !262Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
  3. 08 Nov, 2018 1 commit
  4. 07 Nov, 2018 2 commits
  5. 06 Nov, 2018 5 commits
  6. 04 Nov, 2018 2 commits
  7. 03 Nov, 2018 1 commit
  8. 02 Nov, 2018 1 commit
  9. 26 Oct, 2018 1 commit
  10. 25 Oct, 2018 1 commit
  11. 22 Oct, 2018 6 commits
    • Christian Boltz's avatar
      Replace existing_profiles & fix minitools for named profiles · 4d722f18
      Christian Boltz authored
      Technical stuff first:
      Replace existing_profiles (a dict with the filenames for both active and
      inactive profiles) with active_profiles and extra_profiles which are
      ProfileList()s and store the active profiles and those in the extra
      directory separately. Thanks to ProfileList, now also the relation
      between attachments and filenames is easily available.
      Also replace all usage of existing_profiles with active_profiles and
      extra_profiles, and adjust it to the ProfileList syntax everywhere.
      With this change, several bugs in aa-complain and the other minitools
      get fixed:
      - aa-complain etc. never found profiles that have a profile name
        (the attachment wasn't checked)
      - even if the profile name was given as parameter to aa-complain, it
        first did "which $parameter" so it never matched on named profiles
      - profile names with alternations (without attachment specification)
        also never matched because the old code didn't use AARE.
      References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
      (search for "As usual" ;-)
      Just for completeness - the matching still doesn't honor/expand
      variables in the profile name.
    • Christian Boltz's avatar
      add ProfileList class to store list of profiles · 789c4658
      Christian Boltz authored
      ProfileList is meant to store the list of profiles (both name and
      attachment) and in which files they live.
      Also add unittests to make sure everything works as expected.
    • Christian Boltz's avatar
      Move updating existing_profiles out of parse_profile_data() · 8809218a
      Christian Boltz authored
      parse_profile_data() returns the parsed profiles, but writes to
      existing_profiles directly.
      read_profiles() calls parse_profile_data() and already handles adding
      the parsed profiles to aa, original_aa or extras, which means updating
      existing_profiles there is a much better place.
      This commit also includes a hidden change: Previously, when parsing
      include files, they were also added to existing_profiles. This is
      superfluous, only real profiles need to be stored there.
    • Christian Boltz's avatar
      split off get_new_profile_filename() · a6b8d149
      Christian Boltz authored
      ... and call it from get_profile_filename_* if get_new is True
      (= always with the current code)
    • Christian Boltz's avatar
      split get_profile_filename into .._from_profile_name and .._from_attachment · ec741424
      Christian Boltz authored
      Split get_profile_filename() into
      - get_profile_filename_from_profile_name() (parameter: a profile name)
      - get_profile_filename_from_attachment() (parameter: an attachment)
      Currently both functions call get_profile_filename_orig() (formerly
      get_profile_filename()) so the behaviour doesn't change yet.
      The most important part of this commit is changing all
      get_profile_filename() calls to use one of the new functions to make
      clear if they specify a profile or an attachment/executable as
      As promised, the is_attachment parameter starts to get used in this
      patch ;-)
      Note: The get_new parameter (which I'll explain in the patch actually
      using it) is set to True in all calls to the new functions.
      The long term plan is to get rid of it in most cases (hence defaulting
      to False), but that will need more testing.
    • Christian Boltz's avatar
      Add is_attachment parameter to write_profile · bc783372
      Christian Boltz authored
      The minitools call write_profile(), write_profile_feedback_ui() and
      serialize_profile() with the _attachment_ as parameter.
      However, aa-logprof etc. call them with the _profile name_ as parameter.
      This patch adds an is_attachment parameter to write_profile() and
      write_profile_feedback_ui(). It also passes it through to
      serialize_profile() via the options parameter.
      If is_attachment is True, the parameter will be handled as attachment,
      otherwise it is expected to be a profile name.
      tools.py gets changed to set is_attachment to True when calling the
      functions listed above to make clear that the parameter is an attachment.
      Note: This patch only adds the is_attachment parameter/option, but
      doesn't change any behaviour. That will happen in the next patch.
  12. 21 Oct, 2018 2 commits
  13. 20 Oct, 2018 2 commits
  14. 17 Oct, 2018 2 commits
  15. 16 Oct, 2018 1 commit
  16. 15 Oct, 2018 2 commits
  17. 14 Oct, 2018 1 commit
  18. 13 Oct, 2018 3 commits