diff --git a/docs/api_reference.md b/docs/api_reference.md index b5eaab1..0efe677 100644 --- a/docs/api_reference.md +++ b/docs/api_reference.md @@ -68,7 +68,6 @@ After that, call maat_new to create a maat instance. Next, for the two main usag * [maat_state_reset](#maat_state_reset) * [maat_state_free](#maat_state_free) * [maat_state_set_scan_district](#maat_state_set_scan_district) -* [maat_state_set_scan_rule_table](#maat_state_set_scan_rule_table) * [maat_state_get_hit_paths](#maat_state_get_hit_paths) * [maat_state_get_rule_table_ids](#maat_state_get_rule_table_ids) * [maat_state_get_scan_count](#maat_state_get_scan_count) @@ -601,23 +600,6 @@ To set the field to be matched in the next scan, for example: if you want to mat **Returns**: success(0) failure(-1) - -### maat_state_set_scan_rule_table - -```c -int maat_state_set_scan_rule_table(struct maat_state *state, - int rule_table_id); -``` - -Maat supports loading multiple rule tables and building their respective runtime. Within the table schema, there is a rule table that has a `default_rule_table` field, indicating that maat will use the runtime of this table to calculate which rule_id will be hit by the hit object_id. If the caller wants to use another rule table runtime for the above calculation, this interface can be invoked to set it up. - -**Parameters**: -* state - Pointer to the maat state structure. -* rule_table_id - The rule table ID. - -**Returns**: success(0) failure(-1) - - ### maat_state_get_hit_paths ```c diff --git a/include/maat.h b/include/maat.h index f9a21a8..b0db46d 100644 --- a/include/maat.h +++ b/include/maat.h @@ -41,17 +41,10 @@ struct maat_hit_path { uuid_t rule_uuid; }; -struct maat_hit_object { - uuid_t item_uuid; - uuid_t object_uuid; - char attribute_name[MAX_ATTR_NAME_LEN]; -}; - enum maat_scan_status { MAAT_SCAN_ERR = -1, //scan error - MAAT_SCAN_OK, //scan but not hit(object or rule) - MAAT_SCAN_HALF_HIT, //half hit: hit object, not hit rule - MAAT_SCAN_HIT //scan hit rule + MAAT_SCAN_OK, //scan but not hit object + MAAT_SCAN_HIT //scan hit object }; enum maat_update_type { @@ -255,143 +248,110 @@ struct maat_state; * MAAT_SCAN_HIT */ int maat_scan_flag(struct maat *instance, const char *table_name, const char *attribute_name, - long long flag, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); + long long flag, struct maat_state *state); int maat_scan_integer(struct maat *instance, const char *table_name, const char *attribute_name, - long long integer, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); + long long integer, struct maat_state *state); /** * @param ip_addr: ipv4 address in network order * @param port: port in host order. If the port is not specified, use -1. Note that 0 is a valid port. */ int maat_scan_ipv4_port(struct maat *instance, const char *table_name, const char *attribute_name, - uint32_t ip_addr, int port, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); + uint32_t ip_addr, int port, struct maat_state *state); int maat_scan_ipv6_port(struct maat *instance, const char *table_name, const char *attribute_name, - uint8_t *ip_addr, int port, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); + uint8_t *ip_addr, int port, struct maat_state *state); int maat_scan_ipv4(struct maat *instance, const char *table_name, const char *attribute_name, - uint32_t ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); + uint32_t ip_addr, struct maat_state *state); int maat_scan_ipv6(struct maat *instance, const char *table_name, const char *attribute_name, - uint8_t *ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); + uint8_t *ip_addr, struct maat_state *state); int maat_scan_string(struct maat *instance, const char *table_name, const char *attribute_name, - const char *data, size_t data_len, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state); + const char *data, size_t data_len, struct maat_state *state); int maat_scan_object(struct maat *instance, const char *table_name, const char *attribute_name, - struct maat_hit_object *objects, size_t n_object, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state); + uuid_t object_uuid_array[], uuid_t item_uuid_array[], size_t array_size, struct maat_state *state); -int maat_scan_not_logic(struct maat *instance, const char *table_name, const char *attribute_name, - uuid_t *results, size_t n_result, size_t *n_hit_result, struct maat_state *state); +int maat_scan_not_logic(struct maat *instance, const char *table_name, const char *attribute_name, struct maat_state *state); struct maat_stream; struct maat_stream *maat_stream_new(struct maat *instance, const char *table_name, const char *attribute_name, struct maat_state *state); -int maat_stream_scan(struct maat_stream *stream, const char *data, int data_len, - uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state); +int maat_stream_scan(struct maat_stream *stream, const char *data, int data_len, struct maat_state *state); void maat_stream_free(struct maat_stream *stream); /* maat state API */ struct maat_state *maat_state_new(struct maat *instance, int thread_id); -/* -security rule 1 src_ip & src_port -security rule 2 src_ip & fqdn -statistics rule 3 src_ip & src_port -statistics rule 4 src_ip & fqdn -scan(src_ip); -scan(src_port); -maat_state_compile("security", rule_array[]); -scan(src_ip); -scan(src_port); -scan(fqdn); -maat_state_compile("security", rule_array[]); -maat_state_compile("statistics", rule_array[]); - */ -size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result);//TODO: new API, return all rules every time, without removing duplicate rules + +/** + * @brief return all rules, without removing duplicate hit rules + * + * @param state: maat state + * @param table_name: rule table name + * @param rule_array: rule uuid array + * @param ex_data_array: rule ex_data array + * @param n_result: the size of rule_array and ex_data_array +*/ +size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result); void maat_state_reset(struct maat_state *state); void maat_state_free(struct maat_state *state); -int maat_state_set_scan_rule_table(struct maat_state *state, const char *rule_table_name);//TODO: delete - int maat_state_get_hit_paths(struct maat_state *state, struct maat_hit_path *path_array, size_t array_size); - -int maat_state_get_rule_table_names(struct maat_state *state, uuid_t *rule_ids, - size_t n_rule_ids, char *rule_table_names[]);//TODO: delete /** * @brief get the total number of scans after maat_state_new */ size_t maat_state_get_scan_count(struct maat_state *state); +size_t maat_state_get_attribute_cnt(struct maat_state *state); + /** - * @brief direct object means object corresponding to item - * - * NOTE: hit objects may be duplicated - * + * @brief return all attribute names + * NOTE: attribute names are valid until the state is freed or reset */ -int maat_state_get_direct_hit_objects(struct maat_state *state, - struct maat_hit_object *object_array, - size_t array_size);//TODO:delete -size_t maat_state_get_direct_hit_object_cnt(struct maat_state *state); +size_t maat_state_get_attribute_names(struct maat_state *state, const char *attribute_names[], size_t array_size); + +/** + * @brief return all hit objects +*/ +size_t maat_state_get_hit_objects(struct maat_state *state, + const char *attribute_name, + uuid_t object_array[], + size_t array_size); + +size_t maat_state_get_hit_object_cnt(struct maat_state *state, const char *attribute_name); + +/** + * @brief return direct hit items and direct hit objects + * NOTE: hit items may be duplicated +*/ +size_t maat_state_get_hit_items(struct maat_state *state, + const char *attribute_name, + uuid_t item_array[], + uuid_t direct_object_array[], + size_t array_size); + +size_t maat_state_get_hit_item_cnt(struct maat_state *state, + const char *attribute_name); /** * @brief indirect object means superior object * * NOTE: hit objects may be duplicated */ - - -/** - * @brief get last scan hit objects(including direct/indirect) -*/ -int maat_state_get_last_hit_objects(struct maat_state *state, - struct maat_hit_object *object_array, - size_t array_size);//TODO:delete - -size_t maat_state_get_last_hit_object_cnt(struct maat_state *state);//TODO:delete - - - -size_t maat_state_get_hit_objects(struct maat_state *state, - const char *attribute_name, - uuid_t object_array[], - size_t array_size);//TODO: new API, return all hit objects - -size_t maat_state_get_attribute_cnt(struct maat_state *state);//TODO: new API -size_t maat_state_get_attribute_names(struct maat_state *state, const char *attribute_names[], size_t array_size);//TODO: new API - -size_t maat_state_get_hit_object_cnt(struct maat_state *state, - const char *attribute_name);//TODO: new API - -size_t maat_state_get_hit_items(struct maat_state *state, - const char *attribute_name, - uuid_t item_array[], - uuid_t direct_object_array[], - size_t array_size);//TODO: new API, return direct hit items and direct hit objects - -size_t maat_state_get_hit_item_cnt(struct maat_state *state, - const char *attribute_name);//TODO: new API - size_t maat_state_get_indirect_hit_objects(struct maat_state *state, const char *attribute_name, uuid_t object_array[], - size_t array_size);//TODO: new API + size_t array_size); -size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state, const char *attribute_name);//TODO: add "const" prefix +size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state, const char *attribute_name); #ifdef __cplusplus } diff --git a/src/inc_internal/maat_core.h b/src/inc_internal/maat_core.h index da76049..9a2fcce 100644 --- a/src/inc_internal/maat_core.h +++ b/src/inc_internal/maat_core.h @@ -185,7 +185,7 @@ struct maat_state { struct rule_compile_state *rule_compile_state; int Nth_scan; uint16_t thread_id; - int16_t rule_table_id; + int16_t rule_table_id;//TODO: need remove ??? uint8_t logic_negate_option; }; diff --git a/src/inc_internal/maat_rule.h b/src/inc_internal/maat_rule.h index 7b9d0ef..d3952ca 100644 --- a/src/inc_internal/maat_rule.h +++ b/src/inc_internal/maat_rule.h @@ -72,12 +72,7 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str const char *attribute_name, int custom_rule_tbl_id, int Nth_scan, struct maat_item *hit_items, size_t n_hit_item); -void rule_compile_state_clear_last_hit_object(struct rule_compile_state *rule_state); - -void rule_compile_state_not_logic_update(struct rule_compile_state *rule_compile_state, - struct rule_runtime *rule_rt, - struct maat *maat_inst, const char *attribute_name, - int Nth_scan); +void rule_compile_state_not_logic_update(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, int Nth_scan); size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule_compile_state, struct rule_runtime *rule_rt, @@ -85,27 +80,24 @@ size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule struct maat_hit_path *hit_path_array, size_t array_size); -size_t rule_compile_state_get_direct_hit_objects(struct rule_compile_state *rule_compile_state, - struct maat_hit_object *object_array, - size_t array_size); +size_t rule_compile_state_get_direct_hit_items(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, + uuid_t item_array[], uuid_t direct_object_array[], size_t array_size); -size_t rule_compile_state_get_direct_hit_object_cnt(struct rule_compile_state *rule_compile_state); +size_t rule_compile_state_get_direct_hit_item_cnt(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name); -size_t rule_compile_state_get_indirect_hit_objects(struct rule_compile_state *rule_compile_state, - struct maat_hit_object *object_array, - size_t array_size); +size_t rule_compile_state_get_indirect_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, + const char *attribute_name, uuid_t object_array[], size_t array_size); -size_t rule_compile_state_get_indirect_hit_object_cnt(struct rule_compile_state *rule_compile_state); +size_t rule_compile_state_get_indirect_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name); -size_t rule_compile_state_get_last_hit_objects(struct rule_compile_state *rule_compile_state, - struct maat_hit_object *object_arary, - size_t array_size); +size_t rule_compile_state_get_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, + uuid_t object_array[], size_t array_size); -size_t rule_compile_state_get_last_hit_object_cnt(struct rule_compile_state *rule_compile_state); +size_t rule_compile_state_get_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name); -int rule_compile_state_get_rule_table_id(struct rule_compile_state *rule_compile_state, - uuid_t *rule_id); +size_t rule_compile_state_get_attribute_names(struct rule_compile_state *rule_compile_state, const char *attribute_name_array[], size_t array_size); +size_t rule_compile_state_get_attribute_cnt(struct rule_compile_state *rule_compile_state); #ifdef __cplusplus } #endif diff --git a/src/maat_api.c b/src/maat_api.c index 5819102..6aa0e85 100644 --- a/src/maat_api.c +++ b/src/maat_api.c @@ -856,7 +856,6 @@ int maat_plugin_table_ex_schema_register(struct maat *maat_inst, void *maat_plugin_table_get_ex_data(struct maat *maat_inst, const char *table_name, const char *key, size_t key_len) { - if (NULL == maat_inst || NULL == key) { return NULL; } @@ -1171,33 +1170,36 @@ string_scan(struct table_manager *tbl_mgr, int thread_id, return object_hit_cnt; } -static size_t -object_to_rule(struct maat *maat_inst, uuid_t *results, size_t n_result, - struct maat_state *state) +size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result) { - int rule_table_id = - table_manager_get_default_rule_table_id(maat_inst->tbl_mgr); - - if (state->rule_table_id > 0) { - rule_table_id = state->rule_table_id; + int table_id = maat_get_table_id(state->maat_inst, table_name); + if (table_id < 0) { + return 0; } - void *rule_rt = table_manager_get_runtime(maat_inst->tbl_mgr, - rule_table_id); + void *rule_rt = table_manager_get_runtime(state->maat_inst->tbl_mgr, table_id); if (NULL == rule_rt) { return 0; } - return rule_runtime_match((struct rule_runtime *)rule_rt, - results, n_result, state); + int rule_num = rule_runtime_match((struct rule_runtime *)rule_rt, rule_array, n_result, state); + if (rule_num <= 0) { + return 0; + } + + for (int i = 0; i < rule_num; i++) { + ex_data_array[i] = maat_plugin_table_get_ex_data(state->maat_inst, table_name, (char*)&rule_array[i], sizeof(uuid_t)); + } + + alignment_int64_array_add(state->maat_inst->stat->hit_rule_cnt, state->thread_id, rule_num); + + return rule_num; } int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *attribute_name, - long long flag, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) + long long flag, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) || - (NULL == state) || (state->thread_id < 0)) { + if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) { return MAAT_SCAN_ERR; } @@ -1219,11 +1221,13 @@ int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *a return MAAT_SCAN_OK; } + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + enum table_type table_type = TABLE_TYPE_INVALID; table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id); if (table_type != TABLE_TYPE_FLAG) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; + goto ERROR; } alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); @@ -1231,20 +1235,7 @@ int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *a table_id, attribute_name, state); if (hit_object_cnt < 0) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; - } - - maat_runtime_ref_inc(maat_rt, state->thread_id); - - size_t sum_hit_rule_cnt = 0; - if (hit_object_cnt > 0) { - sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = sum_hit_rule_cnt; - } - - if (sum_hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - sum_hit_rule_cnt); + goto ERROR; } void *flag_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id); @@ -1257,23 +1248,23 @@ int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *a flag_runtime_perf_stat(flag_rt, NULL, NULL, state->thread_id); } - maat_runtime_ref_dec(maat_rt, state->thread_id); + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); - if (sum_hit_rule_cnt > 0) { + if (hit_object_cnt > 0) { return MAAT_SCAN_HIT; - } else if (hit_object_cnt > 0) { - return MAAT_SCAN_HALF_HIT; } else { return MAAT_SCAN_OK; } + +ERROR: + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); + return MAAT_SCAN_ERR; } int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char *attribute_name, - long long integer, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) + long long integer, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) || - (NULL == state) || (state->thread_id < 0)) { + if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) { return MAAT_SCAN_ERR; } @@ -1295,11 +1286,13 @@ int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char return MAAT_SCAN_OK; } + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + enum table_type table_type = TABLE_TYPE_INVALID; table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id); if (table_type != TABLE_TYPE_INTERVAL) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; + goto ERROR; } alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); @@ -1307,20 +1300,7 @@ int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char table_id, attribute_name, state); if (hit_object_cnt < 0) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; - } - - maat_runtime_ref_inc(maat_rt, state->thread_id); - - size_t sum_hit_rule_cnt = 0; - if (hit_object_cnt > 0) { - sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = sum_hit_rule_cnt; - } - - if (sum_hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - sum_hit_rule_cnt); + goto ERROR; } void *interval_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id); @@ -1333,23 +1313,23 @@ int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char interval_runtime_perf_stat(interval_rt, NULL, NULL, state->thread_id); } - maat_runtime_ref_dec(maat_rt, state->thread_id); + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); - if (sum_hit_rule_cnt > 0) { + if (hit_object_cnt > 0) { return MAAT_SCAN_HIT; - } else if (hit_object_cnt > 0) { - return MAAT_SCAN_HALF_HIT; } else { return MAAT_SCAN_OK; } + +ERROR: + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); + return MAAT_SCAN_ERR; } int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const char *attribute_name, - uint32_t ip_addr, int port, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) + uint32_t ip_addr, int port, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) || - (NULL == state) || (state->thread_id < 0)) { + if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) { return MAAT_SCAN_ERR; } @@ -1371,11 +1351,13 @@ int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const ch return MAAT_SCAN_OK; } + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + enum table_type table_type = TABLE_TYPE_INVALID; table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id); if (table_type != TABLE_TYPE_IP) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; + goto ERROR; } alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); @@ -1383,20 +1365,7 @@ int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const ch table_id, attribute_name, state); if (hit_object_cnt < 0) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; - } - - maat_runtime_ref_inc(maat_rt, state->thread_id); - - size_t sum_hit_rule_cnt = 0; - if (hit_object_cnt > 0) { - sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = sum_hit_rule_cnt; - } - - if (sum_hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - sum_hit_rule_cnt); + goto ERROR; } void *ip_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id); @@ -1409,23 +1378,23 @@ int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const ch ip_runtime_perf_stat(ip_rt, NULL, NULL, state->thread_id); } - maat_runtime_ref_dec(maat_rt, state->thread_id); + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); - if (sum_hit_rule_cnt > 0) { + if (hit_object_cnt > 0) { return MAAT_SCAN_HIT; - } else if (hit_object_cnt > 0) { - return MAAT_SCAN_HALF_HIT; } else { return MAAT_SCAN_OK; } + +ERROR: + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); + return MAAT_SCAN_ERR; } int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const char *attribute_name, - uint8_t *ip_addr, int port, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) + uint8_t *ip_addr, int port, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == ip_addr) || (NULL == results) || (0 == n_result) || - (NULL == n_hit_result) || (NULL == state) || (state->thread_id < 0)) { + if ((NULL == maat_inst) || (NULL == ip_addr) || (NULL == state) || (state->thread_id < 0)) { return MAAT_SCAN_ERR; } @@ -1447,11 +1416,13 @@ int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const ch return MAAT_SCAN_OK; } + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + enum table_type table_type = TABLE_TYPE_INVALID; table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id); if (table_type != TABLE_TYPE_IP) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; + goto ERROR; } alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); @@ -1459,20 +1430,7 @@ int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const ch table_id, attribute_name, state); if (hit_object_cnt < 0) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; - } - - maat_runtime_ref_inc(maat_rt, state->thread_id); - - size_t sum_hit_rule_cnt = 0; - if (hit_object_cnt > 0) { - sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = sum_hit_rule_cnt; - } - - if (sum_hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - sum_hit_rule_cnt); + goto ERROR; } void *ip_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id); @@ -1485,40 +1443,36 @@ int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const ch ip_runtime_perf_stat(ip_rt, NULL, NULL, state->thread_id); } - maat_runtime_ref_dec(maat_rt, state->thread_id); + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); - if (sum_hit_rule_cnt > 0) { + if (hit_object_cnt > 0) { return MAAT_SCAN_HIT; - } else if (hit_object_cnt > 0) { - return MAAT_SCAN_HALF_HIT; } else { return MAAT_SCAN_OK; } + +ERROR: + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); + return MAAT_SCAN_ERR; } #define PORT_IGNORED -1 inline int maat_scan_ipv6(struct maat *instance, const char *table_name, const char *attribute_name, - uint8_t *ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state) + uint8_t *ip_addr, struct maat_state *state) { - return maat_scan_ipv6_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED, - results, n_result, n_hit_result, state); + return maat_scan_ipv6_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED, state); } inline int maat_scan_ipv4(struct maat *instance, const char *table_name, const char *attribute_name, - uint32_t ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state) + uint32_t ip_addr, struct maat_state *state) { - return maat_scan_ipv4_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED, - results, n_result, n_hit_result, state); + return maat_scan_ipv4_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED, state); } int maat_scan_string(struct maat *maat_inst, const char *table_name, const char *attribute_name, - const char *data, size_t data_len, uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) + const char *data, size_t data_len, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == data) || (0 == data_len) || (NULL == results) || - (0 == n_result) || (NULL == n_hit_result) || (NULL == state) || + if ((NULL == maat_inst) || (NULL == data) || (0 == data_len) || (NULL == state) || (state->thread_id < 0)) { return MAAT_SCAN_ERR; } @@ -1541,11 +1495,13 @@ int maat_scan_string(struct maat *maat_inst, const char *table_name, const char return MAAT_SCAN_OK; } + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + enum table_type table_type = TABLE_TYPE_INVALID; table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id); if (table_type != TABLE_TYPE_EXPR) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; + goto ERROR; } alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); @@ -1553,20 +1509,7 @@ int maat_scan_string(struct maat *maat_inst, const char *table_name, const char data_len, table_id, attribute_name, state); if (hit_object_cnt < 0) { maat_inst->stat->scan_err_cnt++; - return MAAT_SCAN_ERR; - } - - maat_runtime_ref_inc(maat_rt, state->thread_id); - - size_t sum_hit_rule_cnt = 0; - if (hit_object_cnt > 0) { - sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = sum_hit_rule_cnt; - } - - if (sum_hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - sum_hit_rule_cnt); + goto ERROR; } void *expr_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id); @@ -1579,42 +1522,39 @@ int maat_scan_string(struct maat *maat_inst, const char *table_name, const char expr_runtime_perf_stat(expr_rt, data_len, NULL, NULL, state->thread_id); } - maat_runtime_ref_dec(maat_rt, state->thread_id); + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); - if (sum_hit_rule_cnt > 0) { + if (hit_object_cnt > 0) { return MAAT_SCAN_HIT; - } else if (hit_object_cnt > 0) { - return MAAT_SCAN_HALF_HIT; } else { return MAAT_SCAN_OK; } + +ERROR: + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); + return MAAT_SCAN_ERR; } static void maat_state_add_hit_object(struct maat_state *state, const char *attribute_name, - struct maat_hit_object *objects, size_t n_object) + uuid_t object_uuid_array[], uuid_t item_uuid_array[], size_t array_size) { struct maat *maat_inst = state->maat_inst; - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - if (NULL == state->rule_compile_state) { state->rule_compile_state = rule_compile_state_new(); alignment_int64_array_add(maat_inst->stat->rule_state_cnt, state->thread_id, 1); } - size_t n_hit_item = n_object; - if (n_object >= MAX_HIT_OBJECT_NUM) { + size_t n_hit_item = array_size; + if (n_hit_item >= MAX_HIT_OBJECT_NUM) { n_hit_item = MAX_HIT_OBJECT_NUM; } struct maat_item hit_items[n_hit_item]; for (size_t i = 0; i < n_hit_item; i++) { - uuid_copy(hit_items[i].item_uuid, objects[i].item_uuid); - uuid_copy(hit_items[i].object_uuid, objects[i].object_uuid); + uuid_copy(hit_items[i].item_uuid, item_uuid_array[i]); + uuid_copy(hit_items[i].object_uuid, object_uuid_array[i]); } rule_compile_state_update(state->rule_compile_state, maat_inst, attribute_name, @@ -1622,42 +1562,10 @@ static void maat_state_add_hit_object(struct maat_state *state, const char *attr hit_items, n_hit_item); } -static void -maat_state_activate_hit_not_object(struct maat_state *state, const char *attribute_name) -{ - if (NULL == state) { - return; - } - - struct maat *maat_inst = state->maat_inst; - int rule_table_id = - table_manager_get_default_rule_table_id(maat_inst->tbl_mgr); - if (state->rule_table_id > 0) { - rule_table_id = state->rule_table_id; - } - - struct rule_runtime *rule_rt = - table_manager_get_runtime(maat_inst->tbl_mgr, rule_table_id); - if (NULL == rule_rt) { - return; - } - - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - - rule_compile_state_not_logic_update(state->rule_compile_state, rule_rt, maat_inst, - attribute_name, state->Nth_scan); -} - int maat_scan_object(struct maat *maat_inst, const char *table_name, const char *attribute_name, - struct maat_hit_object *objects, size_t n_object, - uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) + uuid_t object_uuid_array[], uuid_t item_uuid_array[], size_t array_size, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == objects) || (0 == n_object) || (NULL == results) || - (0 == n_result) || (NULL == n_hit_result) || (NULL == state) || + if ((NULL == maat_inst) || (array_size == 0) || (NULL == state) || (state->thread_id < 0)) { return -1; } @@ -1675,29 +1583,20 @@ int maat_scan_object(struct maat *maat_inst, const char *table_name, const char return MAAT_SCAN_OK; } - maat_runtime_ref_inc(maat_rt, state->thread_id); + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); - maat_state_add_hit_object(state, attribute_name, objects, n_object); - size_t hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = hit_rule_cnt; + maat_state_add_hit_object(state, attribute_name, object_uuid_array, item_uuid_array, array_size); - maat_runtime_ref_dec(maat_rt, state->thread_id); - if (hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - hit_rule_cnt); - return MAAT_SCAN_HIT; - } + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); return MAAT_SCAN_OK; } -int maat_scan_not_logic(struct maat *maat_inst, const char *table_name, const char *attribute_name, - uuid_t *results, size_t n_result, - size_t *n_hit_result, struct maat_state *state) +int maat_scan_not_logic(struct maat *maat_inst, const char *table_name, const char *attribute_name, struct maat_state *state) { - if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) || - (NULL == state) || (state->thread_id < 0)) { + if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) { return -1; } @@ -1710,19 +1609,13 @@ int maat_scan_not_logic(struct maat *maat_inst, const char *table_name, const ch return MAAT_SCAN_OK; } - maat_runtime_ref_inc(maat_rt, state->thread_id); + maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id); + alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1); - maat_state_activate_hit_not_object(state, attribute_name); - size_t hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = hit_rule_cnt; + rule_compile_state_not_logic_update(maat_inst, state->rule_compile_state, attribute_name, state->Nth_scan); - maat_runtime_ref_dec(maat_rt, state->thread_id); - if (hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id, - hit_rule_cnt); - return MAAT_SCAN_HIT; - } + maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id); return MAAT_SCAN_OK; } @@ -1807,12 +1700,9 @@ static int expr_stream_scan(struct maat_stream *stream, const char *data, return object_hit_cnt; } -int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data_len, - uuid_t *results, size_t n_result, size_t *n_hit_result, - struct maat_state *state) +int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data_len, struct maat_state *state) { - if ((NULL == maat_stream) || (NULL == data) || (0 == data_len) - || (NULL == results) || (0 == n_result) || (NULL == state)) { + if ((NULL == maat_stream) || (NULL == data) || (0 == data_len) || (NULL == state)) { return MAAT_SCAN_ERR; } @@ -1844,17 +1734,6 @@ int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data if (hit_object_cnt < 0) { maat_inst->stat->scan_err_cnt++; return MAAT_SCAN_ERR; - } - - size_t sum_hit_rule_cnt = 0; - if (hit_object_cnt > 0) { - sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state); - *n_hit_result = sum_hit_rule_cnt; - } - - if (sum_hit_rule_cnt > 0) { - alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, maat_stream->thread_id, - sum_hit_rule_cnt); } if (1 == maat_inst->opts.perf_on) { @@ -1864,10 +1743,8 @@ int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data expr_runtime_perf_stat(expr_rt, data_len, NULL, NULL, state->thread_id); } - if (sum_hit_rule_cnt > 0) { + if (hit_object_cnt > 0) { return MAAT_SCAN_HIT; - } else if (hit_object_cnt > 0) { - return MAAT_SCAN_HALF_HIT; } else { return MAAT_SCAN_OK; } @@ -1964,45 +1841,6 @@ void maat_state_free(struct maat_state *state) thread_id, sizeof(struct maat_state)); } -int maat_state_set_scan_rule_table(struct maat_state *state, const char *rule_table_name) -{ - if (NULL == state) { - return -1; - } - - int rule_table_id = table_manager_get_table_id(state->maat_inst->tbl_mgr, rule_table_name); - if (rule_table_id < 0) { - return -1; - } - - struct maat *maat_inst = state->maat_inst; - assert(maat_inst != NULL); - - if (NULL == maat_inst->maat_rt) { - return -1; - } - - state->rule_table_id = rule_table_id; - - return 0; -} - -int maat_state_get_rule_table_names(struct maat_state *state, uuid_t *rule_ids, - size_t n_rule_ids, char *rule_table_names[]) -{ - if (NULL == state || NULL == rule_ids || 0 == n_rule_ids || - NULL == rule_table_names) { - return -1; - } - - for (size_t i = 0; i < n_rule_ids; i++) { - int table_id = rule_compile_state_get_rule_table_id(state->rule_compile_state, &rule_ids[i]); - rule_table_names[i] = (char *)table_manager_get_table_name(state->maat_inst->tbl_mgr, table_id); - } - - return n_rule_ids; -} - int maat_state_get_hit_paths(struct maat_state *state, struct maat_hit_path *path_array, size_t array_size) { @@ -2056,11 +1894,11 @@ size_t maat_state_get_scan_count(struct maat_state *state) return state->Nth_scan; } -int maat_state_get_direct_hit_objects(struct maat_state *state, - struct maat_hit_object *object_array, - size_t array_size) +size_t maat_state_get_hit_items(struct maat_state *state, const char *attribute_name, + uuid_t item_array[], uuid_t direct_object_array[], + size_t array_size) { - if (NULL == state || NULL == object_array || 0 == array_size) { + if (NULL == state || 0 == array_size) { return -1; } @@ -2068,61 +1906,81 @@ int maat_state_get_direct_hit_objects(struct maat_state *state, return 0; } - return rule_compile_state_get_direct_hit_objects(state->rule_compile_state, - object_array, array_size); + return rule_compile_state_get_direct_hit_items(state->maat_inst, state->rule_compile_state, attribute_name, item_array, direct_object_array, array_size); } -size_t maat_state_get_direct_hit_object_cnt(struct maat_state *state) +size_t maat_state_get_hit_item_cnt(struct maat_state *state, const char *attribute_name) { if (NULL == state || NULL == state->rule_compile_state) { return 0; } - return rule_compile_state_get_direct_hit_object_cnt(state->rule_compile_state); + return rule_compile_state_get_direct_hit_item_cnt(state->maat_inst, state->rule_compile_state, attribute_name); } -int maat_state_get_indirect_hit_objects(struct maat_state *state, - struct maat_hit_object *object_array, - size_t array_size) +size_t maat_state_get_indirect_hit_objects(struct maat_state *state, const char *attribute_name, + uuid_t object_array[], size_t array_size) { if (NULL == state || NULL == object_array || 0 == array_size) { - return -1; + return 0; } if (NULL == state->rule_compile_state) { return 0; } - return rule_compile_state_get_indirect_hit_objects(state->rule_compile_state, - object_array, array_size); + return rule_compile_state_get_indirect_hit_objects(state->maat_inst, state->rule_compile_state, attribute_name, object_array, array_size); } -size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state) +size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state, const char *attribute_name) { if (NULL == state || NULL == state->rule_compile_state) { return 0; } - return rule_compile_state_get_indirect_hit_object_cnt(state->rule_compile_state); + return rule_compile_state_get_indirect_hit_object_cnt(state->maat_inst, state->rule_compile_state, attribute_name); } -int maat_state_get_last_hit_objects(struct maat_state *state, - struct maat_hit_object *object_array, - size_t array_size) +size_t maat_state_get_hit_objects(struct maat_state *state, const char *attribute_name, uuid_t object_array[], size_t array_size) +{ + if (NULL == state || NULL == object_array || 0 == array_size) { + return 0; + } + + if (NULL == state->rule_compile_state) { + return 0; + } + + return rule_compile_state_get_hit_objects(state->maat_inst, state->rule_compile_state, attribute_name, object_array, array_size); +} + +size_t maat_state_get_hit_object_cnt(struct maat_state *state, const char *attribute_name) { if (NULL == state || NULL == state->rule_compile_state) { return 0; } - return rule_compile_state_get_last_hit_objects(state->rule_compile_state, - object_array, array_size); + return rule_compile_state_get_hit_object_cnt(state->maat_inst, state->rule_compile_state, attribute_name); } -size_t maat_state_get_last_hit_object_cnt(struct maat_state *state) +size_t maat_state_get_attribute_names(struct maat_state *state, const char *attribute_names[], size_t array_size) +{ + if (NULL == state || NULL == attribute_names || 0 == array_size) { + return 0; + } + + if (NULL == state->rule_compile_state) { + return 0; + } + + return rule_compile_state_get_attribute_names(state->rule_compile_state, attribute_names, array_size); +} + +size_t maat_state_get_attribute_cnt(struct maat_state *state) { if (NULL == state || NULL == state->rule_compile_state) { return 0; } - return rule_compile_state_get_last_hit_object_cnt(state->rule_compile_state); + return rule_compile_state_get_attribute_cnt(state->rule_compile_state); } \ No newline at end of file diff --git a/src/maat_expr.c b/src/maat_expr.c index 1b06e42..8fedd94 100644 --- a/src/maat_expr.c +++ b/src/maat_expr.c @@ -815,11 +815,6 @@ int expr_runtime_scan(struct expr_runtime *expr_rt, int thread_id, const char *data, size_t data_len, const char *attribute_name, struct maat_state *state) { - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - if (0 == expr_rt->rule_num) { //empty expr table return 0; @@ -907,11 +902,6 @@ int expr_runtime_stream_scan(struct expr_runtime_stream *expr_rt_stream, { struct expr_runtime *expr_rt = expr_rt_stream->ref_expr_rt; - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - if (0 == expr_rt->rule_num) { //empty expr table return 0; diff --git a/src/maat_flag.c b/src/maat_flag.c index 1cebe12..e347caf 100644 --- a/src/maat_flag.c +++ b/src/maat_flag.c @@ -403,11 +403,6 @@ long long flag_runtime_rule_count(void *flag_runtime) int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id, long long flag, const char *attribute_name, struct maat_state *state) { - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - if (0 == flag_rt->rule_num) { //empty flag table return 0; diff --git a/src/maat_interval.c b/src/maat_interval.c index be03149..f97ccce 100644 --- a/src/maat_interval.c +++ b/src/maat_interval.c @@ -411,11 +411,6 @@ long long interval_runtime_rule_count(void *interval_runtime) int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id, long long integer, const char *attribute_name, struct maat_state *state) { - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - if (0 == interval_rt->rule_num) { //empty interval table return 0; diff --git a/src/maat_ip.c b/src/maat_ip.c index 04d6759..43e7d6c 100644 --- a/src/maat_ip.c +++ b/src/maat_ip.c @@ -477,11 +477,6 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime) int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type, uint8_t *ip_addr, int port, const char *attribute_name, struct maat_state *state) { - //clear rule_state->last_hit_object - if (state != NULL && state->rule_compile_state != NULL) { - rule_compile_state_clear_last_hit_object(state->rule_compile_state); - } - if (0 == ip_rt->rule_num) { //empty ip table return 0; diff --git a/src/maat_rule.c b/src/maat_rule.c index bc68ac0..d3beb76 100644 --- a/src/maat_rule.c +++ b/src/maat_rule.c @@ -68,9 +68,13 @@ struct table_condition { UT_hash_handle hh; }; -struct negate_attribute_object { +struct attribute_hit_object_collection { char attribute_name[MAX_ATTR_NAME_LEN]; - UT_array *object_uuids; + UT_array *direct_items; + UT_array *indirect_object_uuids;//TODO: ??????? change it to graph? + UT_array *all_object_uuids; + int need_not_condition; + int Nth_scan; UT_hash_handle hh; }; @@ -128,34 +132,21 @@ struct internal_hit_path { char attribute_name[MAX_ATTR_NAME_LEN]; }; -struct rule2table_id { - uuid_t rule_uuid; - int table_id; -}; - struct rule_compile_state { int Nth_scan; - int this_scan_not_logic; time_t rule_rt_version; UT_array *internal_hit_paths; UT_array *all_hit_conditions; - UT_array *this_scan_hit_conditions; - UT_array *this_scan_hit_not_conditions; UT_array *exclude_not_conditions; - UT_array *direct_hit_objects; - UT_array *indirect_hit_objects; - UT_array *last_hit_objects;//TODO: ??????? - UT_array *hit_rule_table_ids; - struct negate_attribute_object *hit_negate_attribute_objects; + struct attribute_hit_object_collection *attr_hit_objects_hashtbl; }; UT_icd ut_condition_id_icd = {sizeof(long long), NULL, NULL, NULL}; UT_icd ut_condition_literal_icd = {sizeof(struct condition_literal), NULL, NULL, NULL}; -UT_icd ut_rule_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL}; -UT_icd ut_maat_hit_object_icd = {sizeof(struct maat_hit_object), NULL, NULL, NULL}; +UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL}; +UT_icd ut_maat_item_icd = {sizeof(struct maat_item), NULL, NULL, NULL}; UT_icd ut_hit_path_icd = {sizeof(struct internal_hit_path), NULL, NULL, NULL}; -UT_icd ut_hit_rule_table_id_icd = {sizeof(struct rule2table_id), NULL, NULL, NULL}; static void rule_item_free(struct rule_item *item) { @@ -678,11 +669,6 @@ static inline int compare_condition_id(const void *a, const void *b) } } -static inline int compare_rule_uuid(const void *a, const void *b) -{ - return uuid_compare(*(uuid_t *)a, *(uuid_t *)b); -} - /** * @brief build hash for condition or not_condition * @@ -761,72 +747,6 @@ build_condition_id_kv_hash(struct rule_runtime *rule_rt, int negate_option) return condition_id_kv_hash; } -static int -maat_rule_has_condition(struct maat_rule *rule, long long condition_id) -{ - struct rule_condition *condition = NULL; - - for (size_t i = 0; i < MAX_ITEMS_PER_BOOL_EXPR; i++) { - condition = rule->conditions + i; - if (!condition->in_use) { - continue; - } - - if (condition->condition_id == condition_id) { - return 1; - } - } - - return 0; -} - -static size_t -rule_compile_state_if_new_hit_rule(struct rule_compile_state *rule_compile_state, - struct maat_rule *rule) -{ - size_t i = 0; - size_t r_in_c_cnt = 0; - int ret = 0; - - long long new_hit_condition_id = 0; - if (0 == rule_compile_state->this_scan_not_logic) { - for (i = 0; i < utarray_len(rule_compile_state->this_scan_hit_conditions); i++) { - new_hit_condition_id = - *(long long*)utarray_eltptr(rule_compile_state->this_scan_hit_conditions, i); - ret = maat_rule_has_condition(rule, new_hit_condition_id); - if (ret) { - r_in_c_cnt++; - } - } - } else { - for (i = 0; i < utarray_len(rule_compile_state->this_scan_hit_not_conditions); i++) { - new_hit_condition_id = - *(long long*)utarray_eltptr(rule_compile_state->this_scan_hit_not_conditions, i); - ret = maat_rule_has_condition(rule, new_hit_condition_id); - if (ret) { - r_in_c_cnt++; - } - } - } - - return r_in_c_cnt; -} - -static void -rule_compile_state_update_hit_rule_table_id(struct rule_compile_state *rule_compile_state, - uuid_t rule_uuid, int table_id) -{ - if (!utarray_find(rule_compile_state->hit_rule_table_ids, &rule_uuid, - compare_rule_uuid)) { - struct rule2table_id rule_table_id; - rule_table_id.table_id = table_id; - uuid_copy(rule_table_id.rule_uuid, rule_uuid); - - utarray_push_back(rule_compile_state->hit_rule_table_ids, &rule_table_id); - utarray_sort(rule_compile_state->hit_rule_table_ids, compare_rule_uuid); - } -} - static size_t maat_rule_bool_matcher_match(struct rule_runtime *rule_rt, struct rule_compile_state *rule_compile_state, @@ -863,14 +783,9 @@ maat_rule_bool_matcher_match(struct rule_runtime *rule_rt, continue; } - size_t n_new_hit_rule = - rule_compile_state_if_new_hit_rule(rule_compile_state, rule); - - if (rule->user_data != NULL && n_new_hit_rule > 0) { + if (rule->user_data != NULL) { user_data_array[ud_result_cnt] = rule->user_data; ud_result_cnt++; - rule_compile_state_update_hit_rule_table_id(rule_compile_state, rule->rule_uuid, - rule->table_id); } } @@ -883,64 +798,27 @@ struct rule_compile_state *rule_compile_state_new(void) utarray_new(rule_compile_state->internal_hit_paths, &ut_hit_path_icd); utarray_new(rule_compile_state->all_hit_conditions, &ut_condition_id_icd); - utarray_new(rule_compile_state->this_scan_hit_conditions, &ut_condition_id_icd); - utarray_new(rule_compile_state->this_scan_hit_not_conditions, &ut_condition_id_icd); utarray_new(rule_compile_state->exclude_not_conditions, &ut_condition_id_icd); - utarray_new(rule_compile_state->direct_hit_objects, &ut_maat_hit_object_icd); - utarray_new(rule_compile_state->indirect_hit_objects, &ut_maat_hit_object_icd); - utarray_new(rule_compile_state->last_hit_objects, &ut_maat_hit_object_icd); - utarray_new(rule_compile_state->hit_rule_table_ids, &ut_hit_rule_table_id_icd); - rule_compile_state->hit_negate_attribute_objects = NULL; return rule_compile_state; } -static long long -rule_compile_state_hit_not_condition_objects_free(struct rule_compile_state *rule_compile_state) -{ - if (NULL == rule_compile_state) { - return 0; - } - - long long free_bytes = 0; - struct negate_attribute_object *negate_attr_obj = NULL, *tmp_negate_attr_obj = NULL; - HASH_ITER(hh, rule_compile_state->hit_negate_attribute_objects, negate_attr_obj, tmp_negate_attr_obj) { - free_bytes += - (sizeof(negate_attr_obj) + utarray_len(negate_attr_obj->object_uuids) * sizeof(uuid_t)); - HASH_DEL(rule_compile_state->hit_negate_attribute_objects, negate_attr_obj); - if (negate_attr_obj->object_uuids != NULL) { - utarray_free(negate_attr_obj->object_uuids); - negate_attr_obj->object_uuids = NULL; - } - FREE(negate_attr_obj); - } - - return free_bytes; -} - void rule_compile_state_reset(struct rule_compile_state *rule_compile_state) { if (NULL == rule_compile_state) { return; } - rule_compile_state->this_scan_not_logic = 0; rule_compile_state->Nth_scan = 0; rule_compile_state->rule_rt_version = 0; utarray_clear(rule_compile_state->internal_hit_paths); utarray_clear(rule_compile_state->all_hit_conditions); - utarray_clear(rule_compile_state->this_scan_hit_conditions); - utarray_clear(rule_compile_state->this_scan_hit_not_conditions); utarray_clear(rule_compile_state->exclude_not_conditions); - utarray_clear(rule_compile_state->direct_hit_objects); - utarray_clear(rule_compile_state->indirect_hit_objects); - utarray_clear(rule_compile_state->last_hit_objects); - utarray_clear(rule_compile_state->hit_rule_table_ids); - struct negate_attribute_object *negate_attr_obj = NULL, *tmp_negate_attr_obj = NULL; - HASH_ITER(hh, rule_compile_state->hit_negate_attribute_objects, negate_attr_obj, tmp_negate_attr_obj) { - utarray_clear(negate_attr_obj->object_uuids); + struct attribute_hit_object_collection *attr_hit_obj = NULL, *tmp_hit_attr_obj = NULL; + HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj, tmp_hit_attr_obj) { + //TODO: clear } } @@ -965,20 +843,6 @@ void rule_compile_state_free(struct rule_compile_state *rule_compile_state, utarray_free(rule_compile_state->all_hit_conditions); rule_compile_state->all_hit_conditions = NULL; } - - if (rule_compile_state->this_scan_hit_conditions != NULL) { - free_bytes += utarray_size(rule_compile_state->this_scan_hit_conditions) * - sizeof(long long); - utarray_free(rule_compile_state->this_scan_hit_conditions); - rule_compile_state->this_scan_hit_conditions = NULL; - } - - if (rule_compile_state->this_scan_hit_not_conditions != NULL) { - free_bytes += utarray_size(rule_compile_state->this_scan_hit_not_conditions) * - sizeof(long long); - utarray_free(rule_compile_state->this_scan_hit_not_conditions); - rule_compile_state->this_scan_hit_not_conditions = NULL; - } if (rule_compile_state->exclude_not_conditions != NULL) { free_bytes += utarray_size(rule_compile_state->exclude_not_conditions) * @@ -987,35 +851,7 @@ void rule_compile_state_free(struct rule_compile_state *rule_compile_state, rule_compile_state->exclude_not_conditions = NULL; } - if (rule_compile_state->direct_hit_objects != NULL) { - free_bytes += utarray_size(rule_compile_state->direct_hit_objects) * - sizeof(struct maat_hit_object); - utarray_free(rule_compile_state->direct_hit_objects); - rule_compile_state->direct_hit_objects = NULL; - } - - if (rule_compile_state->indirect_hit_objects != NULL) { - free_bytes += utarray_size(rule_compile_state->indirect_hit_objects) * - sizeof(struct maat_hit_object); - utarray_free(rule_compile_state->indirect_hit_objects); - rule_compile_state->indirect_hit_objects = NULL; - } - - if (rule_compile_state->last_hit_objects != NULL) { - free_bytes += utarray_size(rule_compile_state->last_hit_objects) * - sizeof(struct maat_hit_object); - utarray_free(rule_compile_state->last_hit_objects); - rule_compile_state->last_hit_objects = NULL; - } - - if (rule_compile_state->hit_rule_table_ids != NULL) { - free_bytes += utarray_size(rule_compile_state->hit_rule_table_ids) * - sizeof(struct rule2table_id); - utarray_free(rule_compile_state->hit_rule_table_ids); - rule_compile_state->hit_rule_table_ids = NULL; - } - - free_bytes += rule_compile_state_hit_not_condition_objects_free(rule_compile_state); + //TODO: free attr_hit_objects_hashtbl FREE(rule_compile_state); @@ -1056,7 +892,7 @@ static int maat_rule_has_condition_query_key(struct maat_rule *rule, for (size_t j = 0; j < utarray_len(condition->literals); j++) { tmp_literal = (struct condition_literal *)utarray_eltptr(condition->literals, j); - if (strncmp(tmp_literal->attribute_name, key->attribute_name, sizeof(key->attribute_name)) != 0) { + if (strcmp(tmp_literal->attribute_name, key->attribute_name) != 0) { continue; } @@ -1094,7 +930,7 @@ maat_rule_get_hit_condition_index(struct maat_rule *rule, for (size_t j = 0; j < utarray_len(tmp_condition->literals); j++) { tmp_literal = (struct condition_literal *)utarray_eltptr(tmp_condition->literals, j); - if (strncmp(tmp_literal->attribute_name, attribute_name, sizeof(tmp_literal->attribute_name)) != 0) { + if (strcmp(tmp_literal->attribute_name, attribute_name) != 0) { continue; } @@ -1234,36 +1070,28 @@ size_t rule_runtime_get_hit_paths(struct rule_runtime *rule_rt, int thread_id, static void rule_compile_state_add_direct_hit_objects(struct rule_compile_state *rule_compile_state, struct maat_item *hit_items, - size_t n_hit_items, const char *attribute_name) + size_t n_hit_items, struct attribute_hit_object_collection * attr_hit_obj_coll) { if (NULL == rule_compile_state || NULL == hit_items) { return; } - struct maat_hit_object hit_object; for (size_t i = 0; i < n_hit_items; i++) { - uuid_copy(hit_object.item_uuid, hit_items[i].item_uuid); - uuid_copy(hit_object.object_uuid, hit_items[i].object_uuid); - snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name); - utarray_push_back(rule_compile_state->direct_hit_objects, &hit_object); + utarray_push_back(attr_hit_obj_coll->direct_items, &hit_items[i]); } } static void rule_compile_state_add_indirect_hit_objects(struct rule_compile_state *rule_compile_state, - uuid_t *object_uuids, - size_t n_object_uuids, const char *attribute_name) + uuid_t *object_uuids, size_t n_object_uuids, + struct attribute_hit_object_collection * attr_hit_obj_coll) { if (NULL == rule_compile_state || NULL == object_uuids) { return; } - struct maat_hit_object hit_object; for (size_t i = 0; i < n_object_uuids; i++) { - uuid_clear(hit_object.item_uuid); - uuid_copy(hit_object.object_uuid, object_uuids[i]); - snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name); - utarray_push_back(rule_compile_state->indirect_hit_objects, &hit_object); + utarray_push_back(attr_hit_obj_coll->indirect_object_uuids, &object_uuids[i]); } } @@ -1271,24 +1099,24 @@ static void rule_compile_state_add_hit_conditions(struct rule_compile_state *rule_compile_state, UT_array *condition_id_array) { - size_t i = 0; + int condition_id_idx_array[utarray_len(condition_id_array)]; + int condition_id_idx_array_len = 0; long long *condition_id = NULL; - size_t new_condition_idx = utarray_len(rule_compile_state->this_scan_hit_conditions); - for (i = 0; i < utarray_len(condition_id_array); i++) { + for (size_t i = 0; i < utarray_len(condition_id_array); i++) { condition_id = (long long *)utarray_eltptr(condition_id_array, i); if (utarray_find(rule_compile_state->all_hit_conditions, condition_id, compare_condition_id)) { continue; } - utarray_push_back(rule_compile_state->this_scan_hit_conditions, condition_id); + condition_id_idx_array[condition_id_idx_array_len] = i; + condition_id_idx_array_len++; } - if ((utarray_len(rule_compile_state->this_scan_hit_conditions) - new_condition_idx) > 0) { - utarray_reserve(rule_compile_state->all_hit_conditions, - utarray_len(rule_compile_state->this_scan_hit_conditions) - new_condition_idx); + if (condition_id_idx_array_len > 0) { + utarray_reserve(rule_compile_state->all_hit_conditions, condition_id_idx_array_len); - for (i = new_condition_idx; i < utarray_len(rule_compile_state->this_scan_hit_conditions); i++) { - condition_id = (long long *)utarray_eltptr(rule_compile_state->this_scan_hit_conditions, i); + for (size_t i = 0; i < condition_id_idx_array_len; i++) { + condition_id = (long long *)utarray_eltptr(condition_id_array, condition_id_idx_array[i]); utarray_push_back(rule_compile_state->all_hit_conditions, condition_id); } utarray_sort(rule_compile_state->all_hit_conditions, compare_condition_id); @@ -1299,26 +1127,39 @@ static void rule_compile_state_add_exclude_not_conditions(struct rule_compile_state *rule_compile_state, UT_array *condition_id_array) { + int condition_id_idx_array[utarray_len(condition_id_array)]; + int condition_id_idx_array_len = 0; + long long *condition_id = NULL; + for (size_t i = 0; i < utarray_len(condition_id_array); i++) { - long long *condition_id = (long long *)utarray_eltptr(condition_id_array, i); - if (utarray_find(rule_compile_state->exclude_not_conditions, condition_id, - compare_condition_id)) { + condition_id = (long long *)utarray_eltptr(condition_id_array, i); + if (utarray_find(rule_compile_state->exclude_not_conditions, condition_id, compare_condition_id)) { continue; } - utarray_push_back(rule_compile_state->exclude_not_conditions, condition_id); + condition_id_idx_array[condition_id_idx_array_len] = i; + condition_id_idx_array_len++; + } + + if (condition_id_idx_array_len > 0) { + utarray_reserve(rule_compile_state->exclude_not_conditions, condition_id_idx_array_len); + + for (size_t i = 0; i < condition_id_idx_array_len; i++) { + condition_id = (long long *)utarray_eltptr(condition_id_array, condition_id_idx_array[i]); + utarray_push_back(rule_compile_state->exclude_not_conditions, condition_id); + } + utarray_sort(rule_compile_state->exclude_not_conditions, compare_condition_id); } - utarray_sort(rule_compile_state->exclude_not_conditions, compare_condition_id); } static void rule_compile_state_add_hit_not_conditions(struct rule_compile_state *rule_compile_state, UT_array *condition_id_array) -{ - size_t i = 0; +{ + int condition_id_idx_array[utarray_len(condition_id_array)]; + int condition_id_idx_array_len = 0; long long *condition_id = NULL; - size_t new_condition_idx = utarray_len(rule_compile_state->this_scan_hit_not_conditions); - for (i = 0; i < utarray_len(condition_id_array); i++) { + for (size_t i = 0; i < utarray_len(condition_id_array); i++) { condition_id = (long long *)utarray_eltptr(condition_id_array, i); if (utarray_find(rule_compile_state->all_hit_conditions, condition_id, compare_condition_id)) { continue; @@ -1327,125 +1168,21 @@ rule_compile_state_add_hit_not_conditions(struct rule_compile_state *rule_compil if (utarray_find(rule_compile_state->exclude_not_conditions, condition_id, compare_condition_id)) { continue; } - - utarray_push_back(rule_compile_state->this_scan_hit_not_conditions, condition_id); + condition_id_idx_array[condition_id_idx_array_len] = i; + condition_id_idx_array_len++; } - if ((utarray_len(rule_compile_state->this_scan_hit_not_conditions) - new_condition_idx) > 0) { - utarray_reserve(rule_compile_state->all_hit_conditions, - utarray_len(rule_compile_state->this_scan_hit_not_conditions) - new_condition_idx); + if (condition_id_idx_array_len > 0) { + utarray_reserve(rule_compile_state->all_hit_conditions, condition_id_idx_array_len); - for (i = new_condition_idx; i < utarray_len(rule_compile_state->this_scan_hit_not_conditions); i++) { - condition_id = (long long *)utarray_eltptr(rule_compile_state->this_scan_hit_not_conditions, i); + for (size_t i = 0; i < condition_id_idx_array_len; i++) { + condition_id = (long long *)utarray_eltptr(condition_id_array, condition_id_idx_array[i]); utarray_push_back(rule_compile_state->all_hit_conditions, condition_id); } utarray_sort(rule_compile_state->all_hit_conditions, compare_condition_id); } } -static void -rule_compile_state_update_hit_conditions(struct rule_compile_state *rule_compile_state, - struct rule_runtime *rule_rt, - uuid_t object_uuid, const char *attribute_name) -{ - if (NULL == rule_compile_state || NULL == rule_rt) { - return; - } - - struct condition_query_key key; - struct condition_id_kv *condition_id_kv = NULL; - - memset(&key, 0, sizeof(key)); - key.negate_option = 0; - snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attribute_name); - uuid_copy(key.object_uuid, object_uuid); - - HASH_FIND(hh, rule_rt->condition_id_kv_hash, &key, sizeof(key), condition_id_kv); - if (condition_id_kv != NULL) { - rule_compile_state_add_hit_conditions(rule_compile_state, condition_id_kv->condition_ids); - } - - key.negate_option = 1; - HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv); - if (condition_id_kv != NULL) { - rule_compile_state_add_exclude_not_conditions(rule_compile_state, condition_id_kv->condition_ids); - } -} - -static void -rule_compile_state_cache_hit_not_objects(struct rule_compile_state *rule_compile_state, - struct rule_runtime *rule_rt, - uuid_t *hit_object_uuids, - size_t n_hit_object_uuid, const char *attribute_name) -{ - if (NULL == rule_compile_state || NULL == rule_rt) { - return; - } - - if (n_hit_object_uuid != 0) { - qsort(hit_object_uuids, n_hit_object_uuid, sizeof(uuid_t), compare_object_uuid); - } - - struct negate_attribute_object *negate_attr_obj = NULL; - HASH_FIND_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj); - if (negate_attr_obj != NULL) { - for (size_t i = 0; i < n_hit_object_uuid; i++) { - uuid_t *object_uuid = (uuid_t *)utarray_find(negate_attr_obj->object_uuids, - &hit_object_uuids[i], - compare_object_uuid); - if (NULL == object_uuid) { - continue; - } - size_t remove_idx = utarray_eltidx(negate_attr_obj->object_uuids, object_uuid); - utarray_erase(negate_attr_obj->object_uuids, remove_idx, 1); - } - } - - struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL; - HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) { - if (strncmp(condition_id_kv->key.attribute_name, attribute_name, strlen(attribute_name)) != 0) { - continue; - } - - uuid_t *tmp_object_uuid = - bsearch(&(condition_id_kv->key.object_uuid), hit_object_uuids, - n_hit_object_uuid, sizeof(uuid_t), compare_object_uuid); - if (tmp_object_uuid != NULL) { - continue; - } - - if (NULL == negate_attr_obj) { - negate_attr_obj = ALLOC(struct negate_attribute_object, 1); - snprintf(negate_attr_obj->attribute_name, sizeof(negate_attr_obj->attribute_name), "%s", attribute_name); - utarray_new(negate_attr_obj->object_uuids, &ut_rule_object_uuid_icd); - HASH_ADD_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj); - } - - if (!utarray_find(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid), - compare_object_uuid)) { - utarray_push_back(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid)); - } - } - - if (negate_attr_obj != NULL) { - utarray_sort(negate_attr_obj->object_uuids, compare_object_uuid); - } -} - -int rule_compile_state_get_rule_table_id(struct rule_compile_state *rule_compile_state, - uuid_t *rule_id) -{ - struct rule2table_id *tmp = NULL; - - tmp = utarray_find(rule_compile_state->hit_rule_table_ids, rule_id, - compare_rule_uuid); - if (NULL == tmp) { - return -1; - } - - return tmp->table_id; -} - static int rule_runtime_add_rule(struct rule_runtime *rule_rt, struct rule_schema *schema, @@ -1726,7 +1463,65 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, { struct rule_compile_state *rule_compile_state = state->rule_compile_state; struct rule_item *rule_items[rule_ids_size]; + + utarray_clear(rule_compile_state->all_hit_conditions); + utarray_clear(rule_compile_state->exclude_not_conditions); + struct attribute_hit_object_collection *attr_hit_obj_coll = NULL, *tmp = NULL; + HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj_coll, tmp) { + struct condition_query_key key; + memset(&key, 0, sizeof(key)); + snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attr_hit_obj_coll->attribute_name); + + for (int i = 0; i < utarray_len(attr_hit_obj_coll->all_object_uuids); i++) { + uuid_t *object_uuid = utarray_eltptr(attr_hit_obj_coll->all_object_uuids, i); + uuid_copy(key.object_uuid, *object_uuid); + key.negate_option = 0; + + struct condition_id_kv *condition_id_kv = NULL; + HASH_FIND(hh, rule_rt->condition_id_kv_hash, &key, sizeof(key), condition_id_kv); + if (condition_id_kv != NULL) { + rule_compile_state_add_hit_conditions(rule_compile_state, condition_id_kv->condition_ids); + } + + if (attr_hit_obj_coll->need_not_condition) { + key.negate_option = 1; + HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv); + if (condition_id_kv != NULL) { + rule_compile_state_add_exclude_not_conditions(rule_compile_state, condition_id_kv->condition_ids); + } + } + } + } + + //not conditions + struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL; + HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) { + HASH_FIND_STR(rule_compile_state->attr_hit_objects_hashtbl, condition_id_kv->key.attribute_name, attr_hit_obj_coll); + if (attr_hit_obj_coll == NULL || attr_hit_obj_coll->need_not_condition == 0) { + continue; + } + + uuid_t *object_uuid = bsearch(&(condition_id_kv->key.object_uuid), + utarray_eltptr(attr_hit_obj_coll->all_object_uuids, 0), + utarray_len(attr_hit_obj_coll->all_object_uuids), + sizeof(uuid_t), compare_object_uuid); + if (object_uuid != NULL) { + continue; + } + + rule_compile_state_add_hit_not_conditions(rule_compile_state, condition_id_kv->condition_ids); + + if (state->maat_inst->opts.hit_path_on) { + uuid_t null_uuid; + uuid_clear(null_uuid); + rule_compile_state_add_internal_hit_path(rule_compile_state, null_uuid, + condition_id_kv->key.object_uuid, + condition_id_kv->key.attribute_name, 1, + attr_hit_obj_coll->Nth_scan); + } + } + // all hit condition_id -> rule_id size_t bool_match_ret = maat_rule_bool_matcher_match(rule_rt, rule_compile_state, @@ -1745,6 +1540,56 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, return MIN(bool_match_ret, rule_ids_size); } +static struct attribute_hit_object_collection * rule_compile_state_get_attr_hit_obj_coll(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, + const char *attribute_name) +{ + struct attribute_hit_object_collection *attr_hit_obj_coll = NULL; + HASH_FIND_STR(rule_compile_state->attr_hit_objects_hashtbl, attribute_name, attr_hit_obj_coll); + if (attr_hit_obj_coll == NULL) { + attr_hit_obj_coll = ALLOC(struct attribute_hit_object_collection, 1); + snprintf(attr_hit_obj_coll->attribute_name, sizeof(attr_hit_obj_coll->attribute_name), "%s", attribute_name); + utarray_new(attr_hit_obj_coll->all_object_uuids, &ut_object_uuid_icd); + + if (1 == maat_inst->opts.hit_object_on) { + utarray_new(attr_hit_obj_coll->direct_items, &ut_maat_item_icd); + utarray_new(attr_hit_obj_coll->indirect_object_uuids, &ut_object_uuid_icd); + } + HASH_ADD_STR(rule_compile_state->attr_hit_objects_hashtbl, attribute_name, attr_hit_obj_coll); + } + + return attr_hit_obj_coll; +} + +static void rule_compile_state_add_hit_objects(struct rule_compile_state *rule_compile_state, + struct attribute_hit_object_collection * attr_hit_obj_coll, + uuid_t object_uuids[], size_t n_object_uuids) +{ + int object_uuid_idx_array[n_object_uuids]; + int object_uuid_idx_array_len = 0; + uuid_t *object_uuid = NULL; + + for (size_t i = 0; i < n_object_uuids; i++) { + object_uuid = object_uuids + i; + if (utarray_find(attr_hit_obj_coll->all_object_uuids, object_uuid, compare_object_uuid)) { + continue; + } + object_uuid_idx_array[object_uuid_idx_array_len] = i; + object_uuid_idx_array_len++; + } + + if (object_uuid_idx_array_len > 0) { + utarray_reserve(attr_hit_obj_coll->all_object_uuids, object_uuid_idx_array_len); + + for (size_t i = 0; i < object_uuid_idx_array_len; i++) { + object_uuid = object_uuids + object_uuid_idx_array[i]; + utarray_push_back(attr_hit_obj_coll->all_object_uuids, object_uuid); + } + utarray_sort(attr_hit_obj_coll->all_object_uuids, compare_object_uuid); + } + + return; +} + int rule_compile_state_update(struct rule_compile_state *rule_compile_state, struct maat *maat_inst, const char *attribute_name, int custom_rule_tbl_id, int Nth_scan, struct maat_item *hit_items, size_t n_hit_item) @@ -1752,19 +1597,11 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str size_t i = 0, j = 0; size_t hit_cnt = n_hit_item; uuid_t hit_object_uuids[MAX_HIT_OBJECT_NUM]; - struct maat_hit_object hit_object; - utarray_clear(rule_compile_state->this_scan_hit_conditions); - rule_compile_state->this_scan_not_logic = 0; rule_compile_state->Nth_scan = Nth_scan; for (i = 0; i < hit_cnt; i++) { uuid_copy(hit_object_uuids[i], hit_items[i].object_uuid); - - uuid_copy(hit_object.item_uuid, hit_items[i].item_uuid); - uuid_copy(hit_object.object_uuid, hit_items[i].object_uuid); - snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name); - utarray_push_back(rule_compile_state->last_hit_objects, &hit_object); } int object_group_table_id = table_manager_get_object_group_table_id(maat_inst->tbl_mgr); @@ -1774,12 +1611,9 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str size_t super_object_cnt = object_group_runtime_get_super_objects(object_group_rt, hit_object_uuids, hit_cnt, super_object_uuids, MAX_HIT_OBJECT_NUM); - for (i = 0; i < super_object_cnt; i++) { - uuid_clear(hit_object.item_uuid); - uuid_copy(hit_object.object_uuid, super_object_uuids[i]); - snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name); - utarray_push_back(rule_compile_state->last_hit_objects, &hit_object); - } + + struct attribute_hit_object_collection * attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); if (1 == maat_inst->opts.hit_path_on && hit_cnt > 0) { for (i = 0; i < hit_cnt; i++) { @@ -1789,157 +1623,127 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str } if (1 == maat_inst->opts.hit_object_on) { - rule_compile_state_add_direct_hit_objects(rule_compile_state, hit_items, hit_cnt, attribute_name); + rule_compile_state_add_direct_hit_objects(rule_compile_state, hit_items, hit_cnt, attr_hit_obj_coll); rule_compile_state_add_indirect_hit_objects(rule_compile_state, super_object_uuids, - super_object_cnt, attribute_name); - } - - /* update hit condition */ - int rule_table_id = table_manager_get_default_rule_table_id(maat_inst->tbl_mgr); - if (custom_rule_tbl_id > 0) { - rule_table_id = custom_rule_tbl_id; - } - - struct rule_runtime *rule_rt = table_manager_get_runtime(maat_inst->tbl_mgr, - rule_table_id); - if (NULL == rule_rt) { - return 0; + super_object_cnt, attr_hit_obj_coll); } for (j = 0; j < super_object_cnt && hit_cnt < MAX_HIT_OBJECT_NUM; j++) { uuid_copy(hit_object_uuids[hit_cnt++], super_object_uuids[j]); } - for (i = 0; i < hit_cnt; i++) { - rule_compile_state_update_hit_conditions(rule_compile_state, rule_rt, - hit_object_uuids[i], attribute_name); - } + rule_compile_state_add_hit_objects(rule_compile_state, attr_hit_obj_coll, hit_object_uuids, hit_cnt); - rule_compile_state_cache_hit_not_objects(rule_compile_state, rule_rt, hit_object_uuids, - hit_cnt, attribute_name); return hit_cnt; } -void rule_compile_state_clear_last_hit_object(struct rule_compile_state *rule_compile_state) +void rule_compile_state_not_logic_update(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, int Nth_scan) { - if (NULL == rule_compile_state) { + if (NULL == maat_inst || NULL == rule_compile_state) { return; } - utarray_clear(rule_compile_state->last_hit_objects); -} + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); -void rule_compile_state_not_logic_update(struct rule_compile_state *rule_compile_state, - struct rule_runtime *rule_rt, - struct maat *maat_inst, const char *attribute_name, - int Nth_scan) -{ - if (NULL == rule_compile_state || NULL == maat_inst) { - return; - } - - rule_compile_state->this_scan_not_logic = 1; + attr_hit_obj_coll->need_not_condition = 1; rule_compile_state->Nth_scan = Nth_scan; - utarray_clear(rule_compile_state->this_scan_hit_not_conditions); - struct negate_attribute_object *negate_attr_obj = NULL; - HASH_FIND_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj); - if (NULL == negate_attr_obj) { - return; + return; +} + +size_t rule_compile_state_get_indirect_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, + const char *attribute_name, uuid_t object_array[], size_t array_size) +{ + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); + + size_t i = 0; + for (i = 0; i < utarray_len(attr_hit_obj_coll->indirect_object_uuids) && i < array_size; i++) { + uuid_copy(object_array[i], *(uuid_t *)utarray_eltptr(attr_hit_obj_coll->indirect_object_uuids, i)); } - struct condition_id_kv *condition_id_kv = NULL; - for (size_t i = 0; i < utarray_len(negate_attr_obj->object_uuids); i++) { - struct condition_query_key key; + utarray_clear(attr_hit_obj_coll->indirect_object_uuids); - uuid_t *object_uuid = utarray_eltptr(negate_attr_obj->object_uuids, i); - memset(&key, 0, sizeof(key)); - - snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attribute_name); - key.negate_option = 1; - uuid_copy(key.object_uuid, *object_uuid); - - HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv); - if (NULL == condition_id_kv) { - continue; - } + return i; +} - rule_compile_state_add_hit_not_conditions(rule_compile_state, condition_id_kv->condition_ids); - if (1 == maat_inst->opts.hit_path_on) { - uuid_t null_uuid; - uuid_clear(null_uuid); - rule_compile_state_add_internal_hit_path(rule_compile_state, null_uuid, *object_uuid, - attribute_name, 1, Nth_scan); +size_t rule_compile_state_get_indirect_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name) +{ + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); + + return utarray_len(attr_hit_obj_coll->indirect_object_uuids); +} + +size_t rule_compile_state_get_direct_hit_items(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, + uuid_t item_array[], uuid_t direct_object_array[], size_t array_size) +{ + size_t i = 0; + + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); + + for (i = 0; i < utarray_len(attr_hit_obj_coll->direct_items) && i < array_size; i++) { + struct maat_item *item = (struct maat_item *)utarray_eltptr(attr_hit_obj_coll->direct_items, i); + uuid_copy(direct_object_array[i], item->object_uuid); + uuid_copy(item_array[i], item->item_uuid); + } + utarray_clear(attr_hit_obj_coll->direct_items); + + return i; +} + +size_t rule_compile_state_get_direct_hit_item_cnt(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name) +{ + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); + + return utarray_len(attr_hit_obj_coll->direct_items); +} + +size_t rule_compile_state_get_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, + uuid_t object_array[], size_t array_size) +{ + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); + + size_t i = 0; + for (i = 0; i < utarray_len(attr_hit_obj_coll->all_object_uuids) && i < array_size; i++) { + uuid_copy(object_array[i], *(uuid_t *)utarray_eltptr(attr_hit_obj_coll->all_object_uuids, i)); + } + + utarray_clear(attr_hit_obj_coll->all_object_uuids); + + return i; +} + +size_t rule_compile_state_get_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name) +{ + struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name); + assert(attr_hit_obj_coll != NULL); + + return utarray_len(attr_hit_obj_coll->all_object_uuids); +} + +size_t rule_compile_state_get_attribute_names(struct rule_compile_state *rule_compile_state, const char *attribute_name_array[], size_t array_size) +{ + size_t i = 0; + struct attribute_hit_object_collection *attr_hit_obj_coll = NULL, *tmp = NULL; + HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj_coll, tmp) { + attribute_name_array[i] = attr_hit_obj_coll->attribute_name; + i++; + if (i >= array_size) { + break; } } -} - -size_t rule_compile_state_get_indirect_hit_objects(struct rule_compile_state *rule_compile_state, - struct maat_hit_object *object_array, - size_t array_size) -{ - size_t i = 0; - struct maat_hit_object *hit_object = NULL; - for (i = 0; i < utarray_len(rule_compile_state->indirect_hit_objects) && i < array_size; i++) { - hit_object = - (struct maat_hit_object *)utarray_eltptr(rule_compile_state->indirect_hit_objects, i); - uuid_copy(object_array[i].item_uuid, hit_object->item_uuid); - uuid_copy(object_array[i].object_uuid, hit_object->object_uuid); - memcpy(object_array[i].attribute_name, hit_object->attribute_name, sizeof(object_array[i].attribute_name)); - } - - utarray_clear(rule_compile_state->indirect_hit_objects); return i; } -size_t rule_compile_state_get_indirect_hit_object_cnt(struct rule_compile_state *rule_compile_state) +size_t rule_compile_state_get_attribute_cnt(struct rule_compile_state *rule_compile_state) { - return utarray_len(rule_compile_state->indirect_hit_objects); -} - -size_t rule_compile_state_get_last_hit_objects(struct rule_compile_state *rule_compile_state, - struct maat_hit_object *object_array, - size_t array_size) -{ - size_t i = 0; - - for (i = 0; i < utarray_len(rule_compile_state->last_hit_objects) && i < array_size; i++) { - object_array[i] = - *(struct maat_hit_object *)utarray_eltptr(rule_compile_state->last_hit_objects, i); - } - - return i; -} - -size_t rule_compile_state_get_last_hit_object_cnt(struct rule_compile_state *rule_compile_state) -{ - return utarray_len(rule_compile_state->last_hit_objects); -} - -size_t rule_compile_state_get_direct_hit_objects(struct rule_compile_state *rule_compile_state, - struct maat_hit_object *object_array, - size_t array_size) -{ - UT_array *direct_hit_object = rule_compile_state->direct_hit_objects; - - size_t i = 0; - struct maat_hit_object *object = NULL; - for (i = 0; i < utarray_len(direct_hit_object) && i < array_size; i++) { - object = (struct maat_hit_object *)utarray_eltptr(direct_hit_object, i); - uuid_copy(object_array[i].item_uuid, object->item_uuid); - uuid_copy(object_array[i].object_uuid, object->object_uuid); - memcpy(object_array[i].attribute_name, object->attribute_name, sizeof(object_array[i].attribute_name)); - } - - utarray_clear(rule_compile_state->direct_hit_objects); - - return i; -} - -size_t rule_compile_state_get_direct_hit_object_cnt(struct rule_compile_state *rule_compile_state) -{ - return utarray_len(rule_compile_state->direct_hit_objects); + return HASH_COUNT(rule_compile_state->attr_hit_objects_hashtbl); } size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule_compile_state, @@ -1959,7 +1763,7 @@ size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule */ uuid_t super_object_uuids[MAX_HIT_OBJECT_NUM]; UT_array *valid_super_object_uuids; - utarray_new(valid_super_object_uuids, &ut_rule_object_uuid_icd); + utarray_new(valid_super_object_uuids, &ut_object_uuid_icd); size_t super_object_cnt = object_group_runtime_get_super_objects(object_group_rt, &(internal_path->object_uuid), 1, diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 7c24aa6..6ebc425 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -1343,7 +1343,6 @@ TEST_P(StringScan, StreamHitDirectObject) { state = NULL; } -//TODO TEST_P(StringScan, StreamLiteralPrefix) { uuid_t results[ARRAY_SIZE]; @@ -2529,35 +2528,6 @@ TEST_F(ObjectScan, Attribute) { sleep(2); } -TEST_F(ObjectScan, SetScanRuleTable) { - uuid_t results[ARRAY_SIZE]; - size_t n_hit_result = 0; - int thread_id = 0; - const char *table_name = "KEYWORDS_TABLE"; - const char *attribute_name = "KEYWORDS_TABLE"; - struct maat *maat_inst = ObjectScan::_shared_maat_inst; - struct maat_state *state = maat_state_new(maat_inst, thread_id); - - const char *rule_table_name = "RULE_FIREWALL_CONJUNCTION"; - - int ret = maat_state_set_scan_rule_table(state, rule_table_name); - EXPECT_EQ(ret, 0); - - struct maat_hit_object hit_object; - uuid_parse("00000000-0000-0000-0000-000000000248", hit_object.object_uuid); - ret = maat_scan_object(maat_inst, table_name, attribute_name, &hit_object, 1, results, - ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - char uuid_str[UUID_STR_LEN] = {0}; - uuid_unparse(results[0], uuid_str); - EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000227"); - - maat_state_free(state); - state = NULL; - sleep(2); -} - class NOTLogic : public testing::Test { protected: diff --git a/test/maat_json.json b/test/maat_json.json index e4ccbba..6a89a53 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -3845,25 +3845,6 @@ } ] }, - { - "uuid": "00000000-0000-0000-0000-000000000227", - "service": 1, - "action": 1, - "do_blacklist": 1, - "do_log": 1, - "action_parameter": "maat_scan_object", - "rule_table_name": "RULE_FIREWALL_DEFAULT", - "is_valid": "yes", - "and_conditions": [ - { - "attribute_name": "KEYWORDS_TABLE", - "object_name": "227_url_object", - "object_uuids": [ - "00000000-0000-0000-0000-000000000248" - ] - } - ] - }, { "uuid": "00000000-0000-0000-0000-000000000228", "service": 1,