From AppArmor
Revision as of 09:49, 13 January 2012 by Jdstrand (Talk | contribs) (Miscellaneous)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Work Items

This is a list of outstanding work items that can be done again the current code base.

For a list of improvements and extensions to AppArmor see the development roadmap


  • General
    • Convert parser to straight C++ compile and then strip
    • Remove pcre
    • Convert parser into front end and library(ies)
      • Front end, switch and input control
      • Parsing Layer and semantic check - convert text to parse tree
      • Mid Layer parse tree manipulation
      • Back end
        • rule to compiled struct - DFA/dDFa/XFA
        • compiled struct matching
        • compiled struct compression
  • Compatability
    • check for newer kernel version
    • output new split dfa, permission format
    • allow sharing dfa
    • network rules?
  • Caching
    • move cache out of /etc/apparmor.d/ into /lib/apparmor/
    • store off which files are parsed
    • read file list and stat to check for newer files against binary cache timestamp
    • fallback to parsed file stamps to validate cache before doing compute
  • Front
    • cleanup internal flags and toggles, shouldn't have to special case -S to get output at backend
    • Cleanup iteration of files specified and front driver code
    • permission check update, should be using capable instead of checking for root
    • move profile control symlinks into /etc/apparmor/
  • Parsing
    • make parser reentrant
    • setup multiple entry points to parser, profile, general rule, file rule, network rule, variable, ...
    • Cleanup semantic parsing
    • Cleanup permission parsing of rules
  • Mid
    • convert rules, codomains to C++ classes
    • convert lists, to C++ list iterators
    • convert twalk to C++ container
    • Sort and rule merge cleanup
      • use iterator sort
      • cleanup merge comparisons
    • new stage doing front factoring for rules with the same permissions before expr parsing
    • Fix caching loading so its not split across front, and current backend loading of policy
  • EXPR
    • split expr from dfa
    • native expr parsing of AA rules
    • set up shared nodes struct for exprs
    • use single shared eps node, instead of doing allocations?
    • have normalization use single shared eps node so we don't have to do tail, alt direction check on factoring
    • have shared accept states that aren't ref counted but released when common shared struct is released
    • Add more debug to expr tree simplification
      • number of iterations
      • number of changes on a given iteration
      • Find out why expr tree simplfication is taking so long
    • Add short cuts for expr tree simplification, need to reduce recursion and looping
      • when pulling up alt nodes in normalization - maybe don't need to recurse on each child? Or can recurse less, currently done after each pull up
      • hashing of node to speedup comparison
      • character set conversion? Convert nodes into character sets?
      • Inverted character set conversion? convert inverted sets into standard sets?
    • Fix dump of Nodes into standard C++ redirects
    • Split out as much dfa from expr trees as possible
  • DFA
    • hashing of sets for quicker construction comparison
    • store less dfa info in expr node, store as much intermediate information as possible in the DFA creation routine
    • pull cases into dfa node
    • get rid of dfa level map of state to transition table
    • add routine to clear, expr tree references from dfa, having references back to expr tree is good for debugging but should not be needed in normal use
    • dfa matching routines using computed dfa
    • DFA Set operations
    • Incremental DFA construction, instead of single large regex break into multiple, and do minimization on each and then merge. If the split is done correctly this should reduce the number of extra states created and eliminated
    • Cache precompiled DFA chunks
      • save off chunk
      • load chunk
      • check time stamp
      • combine chunk into accumulating policy
    • Accept States
      • Dfa sharing, need to track perms per shared profile/hat and extract perms for each profile/hat after the fact
      • dfa negative states for permission subtraction
        • special states for per rule subtraction
    • Minimization
      • better state comparison
      • hash partitioning of non-accepting states
      • For debugging purposes allow starting from 2 basic partitions
      • For debugging purposes allow minimizing to a single accept state (ie different permissions are not a reason for partitions splitting
    • Compression
      • Better stats
      • Reduce overhead of tracking free position list
      • more options on ordering of rules being inserted
      • bitmap comparison
      • hashing schemes to speedup compression?
      • dfa matching routines using compressed dfa
  • Back End Binary Policy writing
    • move to C++ stream


  • suggest abstractions with variable name matches. Eg, if /proc/filesystems is denied, aa-logprof will not suggest abstractions/base even though it has @{PROC}/filesystems
  • have aa-logprof only show entries after the 'Last Modified' date (which it writes to the profile)

Profile Repository

  • bleah current implementation is an eye soar

init scripts


  • update to use change_profile
  • jdstrand: some form of testing (DONE via QRT)


  • get change_hat plugin for tomcat working with tomcat 6


  •  ???


  • remove unused dfa code
  • use lsm audit
  • use audit/complain masks instead of a flag
  • hierarchical namespaces
  • path improvements (flags to control)
    • deleted file
    • disconnected paths
    • chroots
  • features interface as sysfs style dir
  • merge common of file_perm path_perm
  • multi profile load


  • add aa-reload (or similar) as a wrapper around 'apparmor_parser -r' with perhaps some added functionality
  • verify fuse mounts with test cases

test suites


  • userside matching engine regression. Setup tests of matching against known rules, and strings.
  • userside matching of kernel regression tests (run known request traces against policy used in kernel test except against user side matching).
  • incorporate new 'error' tests from Makefile into testsuite proper
  • check binary output in some way
  • check dump output against what is loaded
  • use more unit testing
  • add capability to run certain tests as root



  • way to mark expected profile on program
  • way to mark supported version on test (error code, pass/fail for each)
  • better/more flexible profile description support (profile generation)
  • better way to share/reuse test for conditionals
  • load/remove/replace tests
  • namespace create/remove tests
  • break tests into different catagories and directories
  • provide easier access to different sets of tests to run subsets
  • procattr read expected value tests
  • supported interface version tests
    • do basic loads for all supported versions
    • run tests for supported versions
  • failed name lookup tests (lazy unmounts, deleted files, exec through proc fds, etc)
  • namespace tests
  • named transition tests
  • regex profile name tests
  • change_profile onexec
  • expand open permissions tests with different flags passed
  • alias tests
  • variable and conditional tests
  • children profiles
  • audit tests
    • audit rules
    • quiet
    • global flags
  • conditional tests
    • owner
    • extended owner
    • group
    • inode ...
  • expand link tests
  • chroots
    • flags affecting path resolution
  • mount - extend mount tests, tests for new mount rules
  • bind mounts
  • pivot roots
  • union mounts
  • stacked filesystems
    • unionfs - tests
    • aufs
    • ecryptfs
  • network tests
  • logging tests
  • ipc tests
  • eventually reorganize so this is more like the other suites where the tests are drop in


  • fix existing broken tests and reenable
  • leak tests
  • add structure to tests


  • rename so that the test files give an indication of what they do
  • create regression tests for bindings with following priority: first perl, then python, then java and ruby


  • add upstream tests, but have them disabled by default (since a running apache will be needed)
  • enable the upstream tests in QRT



  • Release Notes
    • update and collate into single location
  • overview
    • walk throughs
  • Technical documentation
    • 10000' view (overview) see above
    • 1000' view course explanation of what happens at walk through level
    • 100' view detail of what is done and why for each part
  • Roadmap

Man pages

  • [jdstrand] write pam_apparmor
  • write change_hatv(2)
  • write change_onexec(2)
  • genprof logprof

Tech documents

  • update and fold into wiki versions


  • add to wiki


  • comparisons to other security projects
    • weaknesses and advantages

Tutorials to write

Once written, these need to be integrated into Documentation


Once written, these need to be integrated into Documentation