The PolicyDB is the state machine that matches various permission
requests to the permission permissions granted by a profile.
AppArmor 3.0 introduced the PolicyDB, which is extends the use of
the HFA beyond file rules into other mediation types. The PolicyDB
allows for generic queries to be made against AppArmor policy using
just the HFA. For backwards compatibility reasons masks and some
other structures are retained and used but all information is also
recorded in the PolicyDB.
The layout of the PolicyDB can be thought of as a tree, that begins
with the HFA start state. From here a single byte transition based
on the type of permission request, finds the rules governing that
type. Further transitions within a type lead to more specific sub-types
and eventually a match that can be used to determine permissions.
will find the file rules within the PolicyDB. Note that file rules
are stored in a backwards compatible manner so that, direct access
is possible by specifying an alternate start state for file rules.
Each kind of permission request has a defined types, with unknown
types reserved for future expansion. The Layout and ordering of
matching within a given type, is tailored to the input of the
types permission request, so each type has its own layout and high
level match routine.