db: fix a 64bit filter DB problem

Fix a problem when generating 64bit filters where the individual nodes
were overly connected, making some of the optimizations ineffective.
This fix should result in smaller filters on 64bit systems that use
syscall argument filtering.

The examples below were taken from the 08-subtree-checks test.

Before this patch (incorrect):

 # filter code for syscall #1006 (priority: 65529)
  if ($syscall != 1006) goto syscal_1006_end;
  if ($a1.hi32 == 0)
   if ($a1.lo32 == 1)
    if ($a2.hi32 == 0)
     if ($a2.lo32 == 2)
      action ALLOW;
   else
    action ALLOW;
  else
   if ($a2.hi32 == 0)
    if ($a2.lo32 == 0)
     action ALLOW;
  syscall_1006_end:

After this patch (correct):

 # filter code for syscall #1006 (priority: 65531)
  if ($syscall != 1006) goto syscal_1006_end;
  if ($a1.hi32 == 0)
   if ($a1.lo32 == 1)
    if ($a2.hi32 == 0)
     if ($a2.lo32 == 2)
      action ALLOW;
   else
    action ALLOW;
  syscall_1006_end:

Signed-off-by: Paul Moore <pmoore@redhat.com>

1 files changed, 3 insertions, 6 deletions

diff --git a/src/db.c b/src/db.c
index 62863ec..44f9a53 100644
--- a/src/db.c
+++ b/src/db.c
@@ -598,15 +598,12 @@ static struct db_sys_list *_db_rule_gen_64(const struct arch_def *arch,
 		memset(c_iter_lo, 0, sizeof(*c_iter_lo));
 		c_iter_lo->refcnt = 1;
 
-		/* link the hi node to the previous level */
-		if (c_prev_hi != NULL) {
+		/* link this level to the previous level */
+		if (c_prev_lo != NULL) {
 			if (tf_flag)
 				c_prev_lo->nxt_t = c_iter_hi;
-			else {
-				c_iter_hi->refcnt++;
-				c_prev_hi->nxt_f = c_iter_hi;
+			else
 				c_prev_lo->nxt_f = c_iter_hi;
-			}
 		} else
 			s_new->chains = c_iter_hi;
 		s_new->node_cnt += 2;