linux/security
John Johansen e06f75a6a2 AppArmor: dfa match engine
A basic dfa matching engine based off the dfa engine in the Dragon
Book.  It uses simple row comb compression with a check field.

This allows AppArmor to do pattern matching in linear time, and also
avoids stack issues that an nfa based engine may have.  The dfa
engine uses a byte based comparison, with all values being valid.
Any potential character encoding are handled user side when the dfa
tables are created.  By convention AppArmor uses \0 to separate two
dependent path matches since \0 is not a valid path character
(this is done in the link permission check).

The dfa tables are generated in user space and are verified at load
time to be internally consistent.

There are several future improvements planned for the dfa engine:
* The dfa engine may be converted to a hybrid nfa-dfa engine, with
  a fixed size limited stack.  This would allow for size time
  tradeoffs, by inserting limited nfa states to help control
  state explosion that can occur with dfas.
* The dfa engine may pickup the ability to do limited dynamic
  variable matching, instead of fixing all variables at policy
  load time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:13 +10:00
..
apparmor AppArmor: dfa match engine 2010-08-02 15:35:13 +10:00
integrity/ima ima: use generic_file_llseek for securityfs 2010-08-02 15:34:58 +10:00
keys KEYS: Reinstate lost passing of process keyring ID in call_sbin_request_key() 2010-08-02 15:34:56 +10:00
selinux SELinux: Move execmod to the common perms 2010-08-02 15:35:09 +10:00
smack security: make LSMs explicitly mask off permissions 2010-08-02 15:35:07 +10:00
tomoyo TOMOYO: Update version to 2.3.0 2010-08-02 15:35:10 +10:00
capability.c Security: capability: code style issue 2010-08-02 15:35:00 +10:00
commoncap.c security: whitespace coding style fixes 2010-04-23 10:10:23 +10:00
device_cgroup.c Merge branch 'master' into next 2010-05-06 10:56:07 +10:00
inode.c securityfs: Drop dentry reference count when mknod fails 2010-08-02 15:34:59 +10:00
Kconfig remove CONFIG_SECURITY_FILE_CAPABILITIES compile option 2009-11-24 15:06:47 +11:00
lsm_audit.c Merge branch 'master' into next 2010-05-06 10:56:07 +10:00
Makefile NOMMU: Optimise away the {dac_,}mmap_min_addr tests 2009-12-17 09:25:19 +11:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-04-23 08:56:31 +10:00
security.c LSM: Remove unused arguments from security_path_truncate(). 2010-08-02 15:33:40 +10:00