gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add incomplete code

Browse Source
This commit is contained in:
liuchang
2024-11-19 09:57:24 +00:00
parent c7c0f5db30
commit 89c8cad6c9
12 changed files with 472 additions and 950 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/api_reference.md
View File

@@ -68,7 +68,6 @@ After that, call maat_new to create a maat instance. Next, for the two main usag
* [maat_state_reset](#maat_state_reset)
* [maat_state_free](#maat_state_free)
* [maat_state_set_scan_district](#maat_state_set_scan_district)
* [maat_state_set_scan_rule_table](#maat_state_set_scan_rule_table)
* [maat_state_get_hit_paths](#maat_state_get_hit_paths)
* [maat_state_get_rule_table_ids](#maat_state_get_rule_table_ids)
* [maat_state_get_scan_count](#maat_state_get_scan_count)
@@ -601,23 +600,6 @@ To set the field to be matched in the next scan, for example: if you want to mat
**Returns**: success(0) failure(-1)
### maat_state_set_scan_rule_table
```c
int maat_state_set_scan_rule_table(struct maat_state *state,
int rule_table_id);
```
Maat supports loading multiple rule tables and building their respective runtime. Within the table schema, there is a rule table that has a `default_rule_table` field, indicating that maat will use the runtime of this table to calculate which rule_id will be hit by the hit object_id. If the caller wants to use another rule table runtime for the above calculation, this interface can be invoked to set it up.
**Parameters**:
* state - Pointer to the maat state structure.
* rule_table_id - The rule table ID.
**Returns**: success(0) failure(-1)
### maat_state_get_hit_paths
```c

146
include/maat.h
View File

@@ -41,17 +41,10 @@ struct maat_hit_path {
uuid_t rule_uuid;
};
struct maat_hit_object {
uuid_t item_uuid;
uuid_t object_uuid;
char attribute_name[MAX_ATTR_NAME_LEN];
};
enum maat_scan_status {
MAAT_SCAN_ERR = -1, //scan error
MAAT_SCAN_OK, //scan but not hit(object or rule)
MAAT_SCAN_HALF_HIT, //half hit: hit object, not hit rule
MAAT_SCAN_HIT //scan hit rule
MAAT_SCAN_OK, //scan but not hit object
MAAT_SCAN_HIT //scan hit object
};
enum maat_update_type {
@@ -255,143 +248,110 @@ struct maat_state;
* MAAT_SCAN_HIT
*/
int maat_scan_flag(struct maat *instance, const char *table_name, const char *attribute_name,
long long flag, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
long long flag, struct maat_state *state);
int maat_scan_integer(struct maat *instance, const char *table_name, const char *attribute_name,
long long integer, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
long long integer, struct maat_state *state);
/**
* @param ip_addr: ipv4 address in network order
* @param port: port in host order. If the port is not specified, use -1. Note that 0 is a valid port.
*/
int maat_scan_ipv4_port(struct maat *instance, const char *table_name, const char *attribute_name,
uint32_t ip_addr, int port, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
uint32_t ip_addr, int port, struct maat_state *state);
int maat_scan_ipv6_port(struct maat *instance, const char *table_name, const char *attribute_name,
uint8_t *ip_addr, int port, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
uint8_t *ip_addr, int port, struct maat_state *state);
int maat_scan_ipv4(struct maat *instance, const char *table_name, const char *attribute_name,
uint32_t ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
uint32_t ip_addr, struct maat_state *state);
int maat_scan_ipv6(struct maat *instance, const char *table_name, const char *attribute_name,
uint8_t *ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
uint8_t *ip_addr, struct maat_state *state);
int maat_scan_string(struct maat *instance, const char *table_name, const char *attribute_name,
const char *data, size_t data_len, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state);
const char *data, size_t data_len, struct maat_state *state);
int maat_scan_object(struct maat *instance, const char *table_name, const char *attribute_name,
struct maat_hit_object *objects, size_t n_object, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state);
uuid_t object_uuid_array[], uuid_t item_uuid_array[], size_t array_size, struct maat_state *state);
int maat_scan_not_logic(struct maat *instance, const char *table_name, const char *attribute_name,
uuid_t *results, size_t n_result, size_t *n_hit_result, struct maat_state *state);
int maat_scan_not_logic(struct maat *instance, const char *table_name, const char *attribute_name, struct maat_state *state);
struct maat_stream;
struct maat_stream *maat_stream_new(struct maat *instance, const char *table_name, const char *attribute_name, struct maat_state *state);
int maat_stream_scan(struct maat_stream *stream, const char *data, int data_len,
uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state);
int maat_stream_scan(struct maat_stream *stream, const char *data, int data_len, struct maat_state *state);
void maat_stream_free(struct maat_stream *stream);
/* maat state API */
struct maat_state *maat_state_new(struct maat *instance, int thread_id);
/*
security rule 1 src_ip & src_port
security rule 2 src_ip & fqdn
statistics rule 3 src_ip & src_port
statistics rule 4 src_ip & fqdn
scan(src_ip);
scan(src_port);
maat_state_compile("security", rule_array[]);
scan(src_ip);
scan(src_port);
scan(fqdn);
maat_state_compile("security", rule_array[]);
maat_state_compile("statistics", rule_array[]);
*/
size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result);//TODO: new API, return all rules every time, without removing duplicate rules
/**
* @brief return all rules, without removing duplicate hit rules
*
* @param state: maat state
* @param table_name: rule table name
* @param rule_array: rule uuid array
* @param ex_data_array: rule ex_data array
* @param n_result: the size of rule_array and ex_data_array
*/
size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result);
void maat_state_reset(struct maat_state *state);
void maat_state_free(struct maat_state *state);
int maat_state_set_scan_rule_table(struct maat_state *state, const char *rule_table_name);//TODO: delete
int maat_state_get_hit_paths(struct maat_state *state, struct maat_hit_path *path_array,
size_t array_size);
int maat_state_get_rule_table_names(struct maat_state *state, uuid_t *rule_ids,
size_t n_rule_ids, char *rule_table_names[]);//TODO: delete
/**
* @brief get the total number of scans after maat_state_new
*/
size_t maat_state_get_scan_count(struct maat_state *state);
size_t maat_state_get_attribute_cnt(struct maat_state *state);
/**
* @brief direct object means object corresponding to item
*
* NOTE: hit objects may be duplicated
*
* @brief return all attribute names
* NOTE: attribute names are valid until the state is freed or reset
*/
int maat_state_get_direct_hit_objects(struct maat_state *state,
struct maat_hit_object *object_array,
size_t array_size);//TODO:delete
size_t maat_state_get_direct_hit_object_cnt(struct maat_state *state);
size_t maat_state_get_attribute_names(struct maat_state *state, const char *attribute_names[], size_t array_size);
/**
* @brief return all hit objects
*/
size_t maat_state_get_hit_objects(struct maat_state *state,
const char *attribute_name,
uuid_t object_array[],
size_t array_size);
size_t maat_state_get_hit_object_cnt(struct maat_state *state, const char *attribute_name);
/**
* @brief return direct hit items and direct hit objects
* NOTE: hit items may be duplicated
*/
size_t maat_state_get_hit_items(struct maat_state *state,
const char *attribute_name,
uuid_t item_array[],
uuid_t direct_object_array[],
size_t array_size);
size_t maat_state_get_hit_item_cnt(struct maat_state *state,
const char *attribute_name);
/**
* @brief indirect object means superior object
*
* NOTE: hit objects may be duplicated
*/
/**
* @brief get last scan hit objects(including direct/indirect)
*/
int maat_state_get_last_hit_objects(struct maat_state *state,
struct maat_hit_object *object_array,
size_t array_size);//TODO:delete
size_t maat_state_get_last_hit_object_cnt(struct maat_state *state);//TODO:delete
size_t maat_state_get_hit_objects(struct maat_state *state,
const char *attribute_name,
uuid_t object_array[],
size_t array_size);//TODO: new API, return all hit objects
size_t maat_state_get_attribute_cnt(struct maat_state *state);//TODO: new API
size_t maat_state_get_attribute_names(struct maat_state *state, const char *attribute_names[], size_t array_size);//TODO: new API
size_t maat_state_get_hit_object_cnt(struct maat_state *state,
const char *attribute_name);//TODO: new API
size_t maat_state_get_hit_items(struct maat_state *state,
const char *attribute_name,
uuid_t item_array[],
uuid_t direct_object_array[],
size_t array_size);//TODO: new API, return direct hit items and direct hit objects
size_t maat_state_get_hit_item_cnt(struct maat_state *state,
const char *attribute_name);//TODO: new API
size_t maat_state_get_indirect_hit_objects(struct maat_state *state,
const char *attribute_name,
uuid_t object_array[],
size_t array_size);//TODO: new API
size_t array_size);
size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state, const char *attribute_name);//TODO: add "const" prefix
size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state, const char *attribute_name);
#ifdef __cplusplus
}

2
src/inc_internal/maat_core.h
View File

@@ -185,7 +185,7 @@ struct maat_state {
struct rule_compile_state *rule_compile_state;
int Nth_scan;
uint16_t thread_id;
int16_t rule_table_id;
int16_t rule_table_id;//TODO: need remove ???
uint8_t logic_negate_option;
};

32
src/inc_internal/maat_rule.h
View File

@@ -72,12 +72,7 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str
const char *attribute_name, int custom_rule_tbl_id, int Nth_scan,
struct maat_item *hit_items, size_t n_hit_item);
void rule_compile_state_clear_last_hit_object(struct rule_compile_state *rule_state);
void rule_compile_state_not_logic_update(struct rule_compile_state *rule_compile_state,
struct rule_runtime *rule_rt,
struct maat *maat_inst, const char *attribute_name,
int Nth_scan);
void rule_compile_state_not_logic_update(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, int Nth_scan);
size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule_compile_state,
struct rule_runtime *rule_rt,
@@ -85,27 +80,24 @@ size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule
struct maat_hit_path *hit_path_array,
size_t array_size);
size_t rule_compile_state_get_direct_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_hit_object *object_array,
size_t array_size);
size_t rule_compile_state_get_direct_hit_items(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name,
uuid_t item_array[], uuid_t direct_object_array[], size_t array_size);
size_t rule_compile_state_get_direct_hit_object_cnt(struct rule_compile_state *rule_compile_state);
size_t rule_compile_state_get_direct_hit_item_cnt(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name);
size_t rule_compile_state_get_indirect_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_hit_object *object_array,
size_t array_size);
size_t rule_compile_state_get_indirect_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state,
const char *attribute_name, uuid_t object_array[], size_t array_size);
size_t rule_compile_state_get_indirect_hit_object_cnt(struct rule_compile_state *rule_compile_state);
size_t rule_compile_state_get_indirect_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name);
size_t rule_compile_state_get_last_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_hit_object *object_arary,
size_t array_size);
size_t rule_compile_state_get_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name,
uuid_t object_array[], size_t array_size);
size_t rule_compile_state_get_last_hit_object_cnt(struct rule_compile_state *rule_compile_state);
size_t rule_compile_state_get_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name);
int rule_compile_state_get_rule_table_id(struct rule_compile_state *rule_compile_state,
uuid_t *rule_id);
size_t rule_compile_state_get_attribute_names(struct rule_compile_state *rule_compile_state, const char *attribute_name_array[], size_t array_size);
size_t rule_compile_state_get_attribute_cnt(struct rule_compile_state *rule_compile_state);
#ifdef __cplusplus
}
#endif

430
src/maat_api.c
View File

@@ -856,7 +856,6 @@ int maat_plugin_table_ex_schema_register(struct maat *maat_inst,
void *maat_plugin_table_get_ex_data(struct maat *maat_inst, const char *table_name,
const char *key, size_t key_len)
{
if (NULL == maat_inst || NULL == key) {
return NULL;
}
@@ -1171,33 +1170,36 @@ string_scan(struct table_manager *tbl_mgr, int thread_id,
return object_hit_cnt;
}
static size_t
object_to_rule(struct maat *maat_inst, uuid_t *results, size_t n_result,
struct maat_state *state)
size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result)
{
int rule_table_id =
table_manager_get_default_rule_table_id(maat_inst->tbl_mgr);
if (state->rule_table_id > 0) {
rule_table_id = state->rule_table_id;
int table_id = maat_get_table_id(state->maat_inst, table_name);
if (table_id < 0) {
return 0;
}
void *rule_rt = table_manager_get_runtime(maat_inst->tbl_mgr,
rule_table_id);
void *rule_rt = table_manager_get_runtime(state->maat_inst->tbl_mgr, table_id);
if (NULL == rule_rt) {
return 0;
}
return rule_runtime_match((struct rule_runtime *)rule_rt,
results, n_result, state);
int rule_num = rule_runtime_match((struct rule_runtime *)rule_rt, rule_array, n_result, state);
if (rule_num <= 0) {
return 0;
}
for (int i = 0; i < rule_num; i++) {
ex_data_array[i] = maat_plugin_table_get_ex_data(state->maat_inst, table_name, (char*)&rule_array[i], sizeof(uuid_t));
}
alignment_int64_array_add(state->maat_inst->stat->hit_rule_cnt, state->thread_id, rule_num);
return rule_num;
}
int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *attribute_name,
long long flag, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
long long flag, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) ||
(NULL == state) || (state->thread_id < 0)) {
if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1219,11 +1221,13 @@ int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *a
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
enum table_type table_type = TABLE_TYPE_INVALID;
table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id);
if (table_type != TABLE_TYPE_FLAG) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
goto ERROR;
}
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
@@ -1231,20 +1235,7 @@ int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *a
table_id, attribute_name, state);
if (hit_object_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
size_t sum_hit_rule_cnt = 0;
if (hit_object_cnt > 0) {
sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = sum_hit_rule_cnt;
}
if (sum_hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
sum_hit_rule_cnt);
goto ERROR;
}
void *flag_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id);
@@ -1257,23 +1248,23 @@ int maat_scan_flag(struct maat *maat_inst, const char *table_name, const char *a
flag_runtime_perf_stat(flag_rt, NULL, NULL, state->thread_id);
}
maat_runtime_ref_dec(maat_rt, state->thread_id);
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
if (sum_hit_rule_cnt > 0) {
if (hit_object_cnt > 0) {
return MAAT_SCAN_HIT;
} else if (hit_object_cnt > 0) {
return MAAT_SCAN_HALF_HIT;
} else {
return MAAT_SCAN_OK;
}
ERROR:
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_ERR;
}
int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char *attribute_name,
long long integer, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
long long integer, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) ||
(NULL == state) || (state->thread_id < 0)) {
if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1295,11 +1286,13 @@ int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
enum table_type table_type = TABLE_TYPE_INVALID;
table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id);
if (table_type != TABLE_TYPE_INTERVAL) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
goto ERROR;
}
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
@@ -1307,20 +1300,7 @@ int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char
table_id, attribute_name, state);
if (hit_object_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
size_t sum_hit_rule_cnt = 0;
if (hit_object_cnt > 0) {
sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = sum_hit_rule_cnt;
}
if (sum_hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
sum_hit_rule_cnt);
goto ERROR;
}
void *interval_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id);
@@ -1333,23 +1313,23 @@ int maat_scan_integer(struct maat *maat_inst, const char *table_name, const char
interval_runtime_perf_stat(interval_rt, NULL, NULL, state->thread_id);
}
maat_runtime_ref_dec(maat_rt, state->thread_id);
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
if (sum_hit_rule_cnt > 0) {
if (hit_object_cnt > 0) {
return MAAT_SCAN_HIT;
} else if (hit_object_cnt > 0) {
return MAAT_SCAN_HALF_HIT;
} else {
return MAAT_SCAN_OK;
}
ERROR:
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_ERR;
}
int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const char *attribute_name,
uint32_t ip_addr, int port, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
uint32_t ip_addr, int port, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) ||
(NULL == state) || (state->thread_id < 0)) {
if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1371,11 +1351,13 @@ int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const ch
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
enum table_type table_type = TABLE_TYPE_INVALID;
table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id);
if (table_type != TABLE_TYPE_IP) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
goto ERROR;
}
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
@@ -1383,20 +1365,7 @@ int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const ch
table_id, attribute_name, state);
if (hit_object_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
size_t sum_hit_rule_cnt = 0;
if (hit_object_cnt > 0) {
sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = sum_hit_rule_cnt;
}
if (sum_hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
sum_hit_rule_cnt);
goto ERROR;
}
void *ip_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id);
@@ -1409,23 +1378,23 @@ int maat_scan_ipv4_port(struct maat *maat_inst, const char *table_name, const ch
ip_runtime_perf_stat(ip_rt, NULL, NULL, state->thread_id);
}
maat_runtime_ref_dec(maat_rt, state->thread_id);
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
if (sum_hit_rule_cnt > 0) {
if (hit_object_cnt > 0) {
return MAAT_SCAN_HIT;
} else if (hit_object_cnt > 0) {
return MAAT_SCAN_HALF_HIT;
} else {
return MAAT_SCAN_OK;
}
ERROR:
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_ERR;
}
int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const char *attribute_name,
uint8_t *ip_addr, int port, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
uint8_t *ip_addr, int port, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == ip_addr) || (NULL == results) || (0 == n_result) ||
(NULL == n_hit_result) || (NULL == state) || (state->thread_id < 0)) {
if ((NULL == maat_inst) || (NULL == ip_addr) || (NULL == state) || (state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1447,11 +1416,13 @@ int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const ch
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
enum table_type table_type = TABLE_TYPE_INVALID;
table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id);
if (table_type != TABLE_TYPE_IP) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
goto ERROR;
}
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
@@ -1459,20 +1430,7 @@ int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const ch
table_id, attribute_name, state);
if (hit_object_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
size_t sum_hit_rule_cnt = 0;
if (hit_object_cnt > 0) {
sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = sum_hit_rule_cnt;
}
if (sum_hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
sum_hit_rule_cnt);
goto ERROR;
}
void *ip_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id);
@@ -1485,40 +1443,36 @@ int maat_scan_ipv6_port(struct maat *maat_inst, const char *table_name, const ch
ip_runtime_perf_stat(ip_rt, NULL, NULL, state->thread_id);
}
maat_runtime_ref_dec(maat_rt, state->thread_id);
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
if (sum_hit_rule_cnt > 0) {
if (hit_object_cnt > 0) {
return MAAT_SCAN_HIT;
} else if (hit_object_cnt > 0) {
return MAAT_SCAN_HALF_HIT;
} else {
return MAAT_SCAN_OK;
}
ERROR:
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_ERR;
}
#define PORT_IGNORED -1
inline int maat_scan_ipv6(struct maat *instance, const char *table_name, const char *attribute_name,
uint8_t *ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state)
uint8_t *ip_addr, struct maat_state *state)
{
return maat_scan_ipv6_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED,
results, n_result, n_hit_result, state);
return maat_scan_ipv6_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED, state);
}
inline int maat_scan_ipv4(struct maat *instance, const char *table_name, const char *attribute_name,
uint32_t ip_addr, uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state)
uint32_t ip_addr, struct maat_state *state)
{
return maat_scan_ipv4_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED,
results, n_result, n_hit_result, state);
return maat_scan_ipv4_port(instance, table_name, attribute_name, ip_addr, PORT_IGNORED, state);
}
int maat_scan_string(struct maat *maat_inst, const char *table_name, const char *attribute_name,
const char *data, size_t data_len, uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
const char *data, size_t data_len, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == data) || (0 == data_len) || (NULL == results) ||
(0 == n_result) || (NULL == n_hit_result) || (NULL == state) ||
if ((NULL == maat_inst) || (NULL == data) || (0 == data_len) || (NULL == state) ||
(state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1541,11 +1495,13 @@ int maat_scan_string(struct maat *maat_inst, const char *table_name, const char
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
enum table_type table_type = TABLE_TYPE_INVALID;
table_type = table_manager_get_table_type(maat_inst->tbl_mgr, table_id);
if (table_type != TABLE_TYPE_EXPR) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
goto ERROR;
}
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
@@ -1553,20 +1509,7 @@ int maat_scan_string(struct maat *maat_inst, const char *table_name, const char
data_len, table_id, attribute_name, state);
if (hit_object_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
size_t sum_hit_rule_cnt = 0;
if (hit_object_cnt > 0) {
sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = sum_hit_rule_cnt;
}
if (sum_hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
sum_hit_rule_cnt);
goto ERROR;
}
void *expr_rt = table_manager_get_runtime(maat_inst->tbl_mgr, table_id);
@@ -1579,42 +1522,39 @@ int maat_scan_string(struct maat *maat_inst, const char *table_name, const char
expr_runtime_perf_stat(expr_rt, data_len, NULL, NULL, state->thread_id);
}
maat_runtime_ref_dec(maat_rt, state->thread_id);
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
if (sum_hit_rule_cnt > 0) {
if (hit_object_cnt > 0) {
return MAAT_SCAN_HIT;
} else if (hit_object_cnt > 0) {
return MAAT_SCAN_HALF_HIT;
} else {
return MAAT_SCAN_OK;
}
ERROR:
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_ERR;
}
static void maat_state_add_hit_object(struct maat_state *state, const char *attribute_name,
struct maat_hit_object *objects, size_t n_object)
uuid_t object_uuid_array[], uuid_t item_uuid_array[], size_t array_size)
{
struct maat *maat_inst = state->maat_inst;
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
if (NULL == state->rule_compile_state) {
state->rule_compile_state = rule_compile_state_new();
alignment_int64_array_add(maat_inst->stat->rule_state_cnt,
state->thread_id, 1);
}
size_t n_hit_item = n_object;
if (n_object >= MAX_HIT_OBJECT_NUM) {
size_t n_hit_item = array_size;
if (n_hit_item >= MAX_HIT_OBJECT_NUM) {
n_hit_item = MAX_HIT_OBJECT_NUM;
}
struct maat_item hit_items[n_hit_item];
for (size_t i = 0; i < n_hit_item; i++) {
uuid_copy(hit_items[i].item_uuid, objects[i].item_uuid);
uuid_copy(hit_items[i].object_uuid, objects[i].object_uuid);
uuid_copy(hit_items[i].item_uuid, item_uuid_array[i]);
uuid_copy(hit_items[i].object_uuid, object_uuid_array[i]);
}
rule_compile_state_update(state->rule_compile_state, maat_inst, attribute_name,
@@ -1622,42 +1562,10 @@ static void maat_state_add_hit_object(struct maat_state *state, const char *attr
hit_items, n_hit_item);
}
static void
maat_state_activate_hit_not_object(struct maat_state *state, const char *attribute_name)
{
if (NULL == state) {
return;
}
struct maat *maat_inst = state->maat_inst;
int rule_table_id =
table_manager_get_default_rule_table_id(maat_inst->tbl_mgr);
if (state->rule_table_id > 0) {
rule_table_id = state->rule_table_id;
}
struct rule_runtime *rule_rt =
table_manager_get_runtime(maat_inst->tbl_mgr, rule_table_id);
if (NULL == rule_rt) {
return;
}
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
rule_compile_state_not_logic_update(state->rule_compile_state, rule_rt, maat_inst,
attribute_name, state->Nth_scan);
}
int maat_scan_object(struct maat *maat_inst, const char *table_name, const char *attribute_name,
struct maat_hit_object *objects, size_t n_object,
uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
uuid_t object_uuid_array[], uuid_t item_uuid_array[], size_t array_size, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == objects) || (0 == n_object) || (NULL == results) ||
(0 == n_result) || (NULL == n_hit_result) || (NULL == state) ||
if ((NULL == maat_inst) || (array_size == 0) || (NULL == state) ||
(state->thread_id < 0)) {
return -1;
}
@@ -1675,29 +1583,20 @@ int maat_scan_object(struct maat *maat_inst, const char *table_name, const char
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
maat_state_add_hit_object(state, attribute_name, objects, n_object);
size_t hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = hit_rule_cnt;
maat_state_add_hit_object(state, attribute_name, object_uuid_array, item_uuid_array, array_size);
maat_runtime_ref_dec(maat_rt, state->thread_id);
if (hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
hit_rule_cnt);
return MAAT_SCAN_HIT;
}
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_OK;
}
int maat_scan_not_logic(struct maat *maat_inst, const char *table_name, const char *attribute_name,
uuid_t *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
int maat_scan_not_logic(struct maat *maat_inst, const char *table_name, const char *attribute_name, struct maat_state *state)
{
if ((NULL == maat_inst) || (NULL == results) || (0 == n_result) || (NULL == n_hit_result) ||
(NULL == state) || (state->thread_id < 0)) {
if ((NULL == maat_inst) || (NULL == state) || (state->thread_id < 0)) {
return -1;
}
@@ -1710,19 +1609,13 @@ int maat_scan_not_logic(struct maat *maat_inst, const char *table_name, const ch
return MAAT_SCAN_OK;
}
maat_runtime_ref_inc(maat_rt, state->thread_id);
maat_runtime_ref_inc(maat_inst->maat_rt, state->thread_id);
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
maat_state_activate_hit_not_object(state, attribute_name);
size_t hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = hit_rule_cnt;
rule_compile_state_not_logic_update(maat_inst, state->rule_compile_state, attribute_name, state->Nth_scan);
maat_runtime_ref_dec(maat_rt, state->thread_id);
if (hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, state->thread_id,
hit_rule_cnt);
return MAAT_SCAN_HIT;
}
maat_runtime_ref_dec(maat_inst->maat_rt, state->thread_id);
return MAAT_SCAN_OK;
}
@@ -1807,12 +1700,9 @@ static int expr_stream_scan(struct maat_stream *stream, const char *data,
return object_hit_cnt;
}
int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data_len,
uuid_t *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state)
int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data_len, struct maat_state *state)
{
if ((NULL == maat_stream) || (NULL == data) || (0 == data_len)
|| (NULL == results) || (0 == n_result) || (NULL == state)) {
if ((NULL == maat_stream) || (NULL == data) || (0 == data_len) || (NULL == state)) {
return MAAT_SCAN_ERR;
}
@@ -1844,17 +1734,6 @@ int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data
if (hit_object_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
}
size_t sum_hit_rule_cnt = 0;
if (hit_object_cnt > 0) {
sum_hit_rule_cnt = object_to_rule(maat_inst, results, n_result, state);
*n_hit_result = sum_hit_rule_cnt;
}
if (sum_hit_rule_cnt > 0) {
alignment_int64_array_add(maat_inst->stat->hit_rule_cnt, maat_stream->thread_id,
sum_hit_rule_cnt);
}
if (1 == maat_inst->opts.perf_on) {
@@ -1864,10 +1743,8 @@ int maat_stream_scan(struct maat_stream *maat_stream, const char *data, int data
expr_runtime_perf_stat(expr_rt, data_len, NULL, NULL, state->thread_id);
}
if (sum_hit_rule_cnt > 0) {
if (hit_object_cnt > 0) {
return MAAT_SCAN_HIT;
} else if (hit_object_cnt > 0) {
return MAAT_SCAN_HALF_HIT;
} else {
return MAAT_SCAN_OK;
}
@@ -1964,45 +1841,6 @@ void maat_state_free(struct maat_state *state)
thread_id, sizeof(struct maat_state));
}
int maat_state_set_scan_rule_table(struct maat_state *state, const char *rule_table_name)
{
if (NULL == state) {
return -1;
}
int rule_table_id = table_manager_get_table_id(state->maat_inst->tbl_mgr, rule_table_name);
if (rule_table_id < 0) {
return -1;
}
struct maat *maat_inst = state->maat_inst;
assert(maat_inst != NULL);
if (NULL == maat_inst->maat_rt) {
return -1;
}
state->rule_table_id = rule_table_id;
return 0;
}
int maat_state_get_rule_table_names(struct maat_state *state, uuid_t *rule_ids,
size_t n_rule_ids, char *rule_table_names[])
{
if (NULL == state || NULL == rule_ids || 0 == n_rule_ids ||
NULL == rule_table_names) {
return -1;
}
for (size_t i = 0; i < n_rule_ids; i++) {
int table_id = rule_compile_state_get_rule_table_id(state->rule_compile_state, &rule_ids[i]);
rule_table_names[i] = (char *)table_manager_get_table_name(state->maat_inst->tbl_mgr, table_id);
}
return n_rule_ids;
}
int maat_state_get_hit_paths(struct maat_state *state, struct maat_hit_path *path_array,
size_t array_size)
{
@@ -2056,11 +1894,11 @@ size_t maat_state_get_scan_count(struct maat_state *state)
return state->Nth_scan;
}
int maat_state_get_direct_hit_objects(struct maat_state *state,
struct maat_hit_object *object_array,
size_t array_size)
size_t maat_state_get_hit_items(struct maat_state *state, const char *attribute_name,
uuid_t item_array[], uuid_t direct_object_array[],
size_t array_size)
{
if (NULL == state || NULL == object_array || 0 == array_size) {
if (NULL == state || 0 == array_size) {
return -1;
}
@@ -2068,61 +1906,81 @@ int maat_state_get_direct_hit_objects(struct maat_state *state,
return 0;
}
return rule_compile_state_get_direct_hit_objects(state->rule_compile_state,
object_array, array_size);
return rule_compile_state_get_direct_hit_items(state->maat_inst, state->rule_compile_state, attribute_name, item_array, direct_object_array, array_size);
}
size_t maat_state_get_direct_hit_object_cnt(struct maat_state *state)
size_t maat_state_get_hit_item_cnt(struct maat_state *state, const char *attribute_name)
{
if (NULL == state || NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_direct_hit_object_cnt(state->rule_compile_state);
return rule_compile_state_get_direct_hit_item_cnt(state->maat_inst, state->rule_compile_state, attribute_name);
}
int maat_state_get_indirect_hit_objects(struct maat_state *state,
struct maat_hit_object *object_array,
size_t array_size)
size_t maat_state_get_indirect_hit_objects(struct maat_state *state, const char *attribute_name,
uuid_t object_array[], size_t array_size)
{
if (NULL == state || NULL == object_array || 0 == array_size) {
return -1;
return 0;
}
if (NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_indirect_hit_objects(state->rule_compile_state,
object_array, array_size);
return rule_compile_state_get_indirect_hit_objects(state->maat_inst, state->rule_compile_state, attribute_name, object_array, array_size);
}
size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state)
size_t maat_state_get_indirect_hit_object_cnt(struct maat_state *state, const char *attribute_name)
{
if (NULL == state || NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_indirect_hit_object_cnt(state->rule_compile_state);
return rule_compile_state_get_indirect_hit_object_cnt(state->maat_inst, state->rule_compile_state, attribute_name);
}
int maat_state_get_last_hit_objects(struct maat_state *state,
struct maat_hit_object *object_array,
size_t array_size)
size_t maat_state_get_hit_objects(struct maat_state *state, const char *attribute_name, uuid_t object_array[], size_t array_size)
{
if (NULL == state || NULL == object_array || 0 == array_size) {
return 0;
}
if (NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_hit_objects(state->maat_inst, state->rule_compile_state, attribute_name, object_array, array_size);
}
size_t maat_state_get_hit_object_cnt(struct maat_state *state, const char *attribute_name)
{
if (NULL == state || NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_last_hit_objects(state->rule_compile_state,
object_array, array_size);
return rule_compile_state_get_hit_object_cnt(state->maat_inst, state->rule_compile_state, attribute_name);
}
size_t maat_state_get_last_hit_object_cnt(struct maat_state *state)
size_t maat_state_get_attribute_names(struct maat_state *state, const char *attribute_names[], size_t array_size)
{
if (NULL == state || NULL == attribute_names || 0 == array_size) {
return 0;
}
if (NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_attribute_names(state->rule_compile_state, attribute_names, array_size);
}
size_t maat_state_get_attribute_cnt(struct maat_state *state)
{
if (NULL == state || NULL == state->rule_compile_state) {
return 0;
}
return rule_compile_state_get_last_hit_object_cnt(state->rule_compile_state);
return rule_compile_state_get_attribute_cnt(state->rule_compile_state);
}

10
src/maat_expr.c
View File

@@ -815,11 +815,6 @@ int expr_runtime_scan(struct expr_runtime *expr_rt, int thread_id,
const char *data, size_t data_len,
const char *attribute_name, struct maat_state *state)
{
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
if (0 == expr_rt->rule_num) {
//empty expr table
return 0;
@@ -907,11 +902,6 @@ int expr_runtime_stream_scan(struct expr_runtime_stream *expr_rt_stream,
{
struct expr_runtime *expr_rt = expr_rt_stream->ref_expr_rt;
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
if (0 == expr_rt->rule_num) {
//empty expr table
return 0;

5
src/maat_flag.c
View File

@@ -403,11 +403,6 @@ long long flag_runtime_rule_count(void *flag_runtime)
int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id,
long long flag, const char *attribute_name, struct maat_state *state)
{
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
if (0 == flag_rt->rule_num) {
//empty flag table
return 0;

5
src/maat_interval.c
View File

@@ -411,11 +411,6 @@ long long interval_runtime_rule_count(void *interval_runtime)
int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id,
long long integer, const char *attribute_name, struct maat_state *state)
{
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
if (0 == interval_rt->rule_num) {
//empty interval table
return 0;

5
src/maat_ip.c
View File

@@ -477,11 +477,6 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime)
int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
uint8_t *ip_addr, int port, const char *attribute_name, struct maat_state *state)
{
//clear rule_state->last_hit_object
if (state != NULL && state->rule_compile_state != NULL) {
rule_compile_state_clear_last_hit_object(state->rule_compile_state);
}
if (0 == ip_rt->rule_num) {
//empty ip table
return 0;

720
src/maat_rule.c
View File

@@ -68,9 +68,13 @@ struct table_condition {
UT_hash_handle hh;
};
struct negate_attribute_object {
struct attribute_hit_object_collection {
char attribute_name[MAX_ATTR_NAME_LEN];
UT_array *object_uuids;
UT_array *direct_items;
UT_array *indirect_object_uuids;//TODO: ??????? change it to graph?
UT_array *all_object_uuids;
int need_not_condition;
int Nth_scan;
UT_hash_handle hh;
};
@@ -128,34 +132,21 @@ struct internal_hit_path {
char attribute_name[MAX_ATTR_NAME_LEN];
};
struct rule2table_id {
uuid_t rule_uuid;
int table_id;
};
struct rule_compile_state {
int Nth_scan;
int this_scan_not_logic;
time_t rule_rt_version;
UT_array *internal_hit_paths;
UT_array *all_hit_conditions;
UT_array *this_scan_hit_conditions;
UT_array *this_scan_hit_not_conditions;
UT_array *exclude_not_conditions;
UT_array *direct_hit_objects;
UT_array *indirect_hit_objects;
UT_array *last_hit_objects;//TODO: ???????
UT_array *hit_rule_table_ids;
struct negate_attribute_object *hit_negate_attribute_objects;
struct attribute_hit_object_collection *attr_hit_objects_hashtbl;
};
UT_icd ut_condition_id_icd = {sizeof(long long), NULL, NULL, NULL};
UT_icd ut_condition_literal_icd = {sizeof(struct condition_literal), NULL, NULL, NULL};
UT_icd ut_rule_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL};
UT_icd ut_maat_hit_object_icd = {sizeof(struct maat_hit_object), NULL, NULL, NULL};
UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL};
UT_icd ut_maat_item_icd = {sizeof(struct maat_item), NULL, NULL, NULL};
UT_icd ut_hit_path_icd = {sizeof(struct internal_hit_path), NULL, NULL, NULL};
UT_icd ut_hit_rule_table_id_icd = {sizeof(struct rule2table_id), NULL, NULL, NULL};
static void rule_item_free(struct rule_item *item)
{
@@ -678,11 +669,6 @@ static inline int compare_condition_id(const void *a, const void *b)
}
}
static inline int compare_rule_uuid(const void *a, const void *b)
{
return uuid_compare(*(uuid_t *)a, *(uuid_t *)b);
}
/**
* @brief build <condition_query_key, condition_id_array> hash for condition or not_condition
*
@@ -761,72 +747,6 @@ build_condition_id_kv_hash(struct rule_runtime *rule_rt, int negate_option)
return condition_id_kv_hash;
}
static int
maat_rule_has_condition(struct maat_rule *rule, long long condition_id)
{
struct rule_condition *condition = NULL;
for (size_t i = 0; i < MAX_ITEMS_PER_BOOL_EXPR; i++) {
condition = rule->conditions + i;
if (!condition->in_use) {
continue;
}
if (condition->condition_id == condition_id) {
return 1;
}
}
return 0;
}
static size_t
rule_compile_state_if_new_hit_rule(struct rule_compile_state *rule_compile_state,
struct maat_rule *rule)
{
size_t i = 0;
size_t r_in_c_cnt = 0;
int ret = 0;
long long new_hit_condition_id = 0;
if (0 == rule_compile_state->this_scan_not_logic) {
for (i = 0; i < utarray_len(rule_compile_state->this_scan_hit_conditions); i++) {
new_hit_condition_id =
*(long long*)utarray_eltptr(rule_compile_state->this_scan_hit_conditions, i);
ret = maat_rule_has_condition(rule, new_hit_condition_id);
if (ret) {
r_in_c_cnt++;
}
}
} else {
for (i = 0; i < utarray_len(rule_compile_state->this_scan_hit_not_conditions); i++) {
new_hit_condition_id =
*(long long*)utarray_eltptr(rule_compile_state->this_scan_hit_not_conditions, i);
ret = maat_rule_has_condition(rule, new_hit_condition_id);
if (ret) {
r_in_c_cnt++;
}
}
}
return r_in_c_cnt;
}
static void
rule_compile_state_update_hit_rule_table_id(struct rule_compile_state *rule_compile_state,
uuid_t rule_uuid, int table_id)
{
if (!utarray_find(rule_compile_state->hit_rule_table_ids, &rule_uuid,
compare_rule_uuid)) {
struct rule2table_id rule_table_id;
rule_table_id.table_id = table_id;
uuid_copy(rule_table_id.rule_uuid, rule_uuid);
utarray_push_back(rule_compile_state->hit_rule_table_ids, &rule_table_id);
utarray_sort(rule_compile_state->hit_rule_table_ids, compare_rule_uuid);
}
}
static size_t
maat_rule_bool_matcher_match(struct rule_runtime *rule_rt,
struct rule_compile_state *rule_compile_state,
@@ -863,14 +783,9 @@ maat_rule_bool_matcher_match(struct rule_runtime *rule_rt,
continue;
}
size_t n_new_hit_rule =
rule_compile_state_if_new_hit_rule(rule_compile_state, rule);
if (rule->user_data != NULL && n_new_hit_rule > 0) {
if (rule->user_data != NULL) {
user_data_array[ud_result_cnt] = rule->user_data;
ud_result_cnt++;
rule_compile_state_update_hit_rule_table_id(rule_compile_state, rule->rule_uuid,
rule->table_id);
}
}
@@ -883,64 +798,27 @@ struct rule_compile_state *rule_compile_state_new(void)
utarray_new(rule_compile_state->internal_hit_paths, &ut_hit_path_icd);
utarray_new(rule_compile_state->all_hit_conditions, &ut_condition_id_icd);
utarray_new(rule_compile_state->this_scan_hit_conditions, &ut_condition_id_icd);
utarray_new(rule_compile_state->this_scan_hit_not_conditions, &ut_condition_id_icd);
utarray_new(rule_compile_state->exclude_not_conditions, &ut_condition_id_icd);
utarray_new(rule_compile_state->direct_hit_objects, &ut_maat_hit_object_icd);
utarray_new(rule_compile_state->indirect_hit_objects, &ut_maat_hit_object_icd);
utarray_new(rule_compile_state->last_hit_objects, &ut_maat_hit_object_icd);
utarray_new(rule_compile_state->hit_rule_table_ids, &ut_hit_rule_table_id_icd);
rule_compile_state->hit_negate_attribute_objects = NULL;
return rule_compile_state;
}
static long long
rule_compile_state_hit_not_condition_objects_free(struct rule_compile_state *rule_compile_state)
{
if (NULL == rule_compile_state) {
return 0;
}
long long free_bytes = 0;
struct negate_attribute_object *negate_attr_obj = NULL, *tmp_negate_attr_obj = NULL;
HASH_ITER(hh, rule_compile_state->hit_negate_attribute_objects, negate_attr_obj, tmp_negate_attr_obj) {
free_bytes +=
(sizeof(negate_attr_obj) + utarray_len(negate_attr_obj->object_uuids) * sizeof(uuid_t));
HASH_DEL(rule_compile_state->hit_negate_attribute_objects, negate_attr_obj);
if (negate_attr_obj->object_uuids != NULL) {
utarray_free(negate_attr_obj->object_uuids);
negate_attr_obj->object_uuids = NULL;
}
FREE(negate_attr_obj);
}
return free_bytes;
}
void rule_compile_state_reset(struct rule_compile_state *rule_compile_state)
{
if (NULL == rule_compile_state) {
return;
}
rule_compile_state->this_scan_not_logic = 0;
rule_compile_state->Nth_scan = 0;
rule_compile_state->rule_rt_version = 0;
utarray_clear(rule_compile_state->internal_hit_paths);
utarray_clear(rule_compile_state->all_hit_conditions);
utarray_clear(rule_compile_state->this_scan_hit_conditions);
utarray_clear(rule_compile_state->this_scan_hit_not_conditions);
utarray_clear(rule_compile_state->exclude_not_conditions);
utarray_clear(rule_compile_state->direct_hit_objects);
utarray_clear(rule_compile_state->indirect_hit_objects);
utarray_clear(rule_compile_state->last_hit_objects);
utarray_clear(rule_compile_state->hit_rule_table_ids);
struct negate_attribute_object *negate_attr_obj = NULL, *tmp_negate_attr_obj = NULL;
HASH_ITER(hh, rule_compile_state->hit_negate_attribute_objects, negate_attr_obj, tmp_negate_attr_obj) {
utarray_clear(negate_attr_obj->object_uuids);
struct attribute_hit_object_collection *attr_hit_obj = NULL, *tmp_hit_attr_obj = NULL;
HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj, tmp_hit_attr_obj) {
//TODO: clear
}
}
@@ -965,20 +843,6 @@ void rule_compile_state_free(struct rule_compile_state *rule_compile_state,
utarray_free(rule_compile_state->all_hit_conditions);
rule_compile_state->all_hit_conditions = NULL;
}
if (rule_compile_state->this_scan_hit_conditions != NULL) {
free_bytes += utarray_size(rule_compile_state->this_scan_hit_conditions) *
sizeof(long long);
utarray_free(rule_compile_state->this_scan_hit_conditions);
rule_compile_state->this_scan_hit_conditions = NULL;
}
if (rule_compile_state->this_scan_hit_not_conditions != NULL) {
free_bytes += utarray_size(rule_compile_state->this_scan_hit_not_conditions) *
sizeof(long long);
utarray_free(rule_compile_state->this_scan_hit_not_conditions);
rule_compile_state->this_scan_hit_not_conditions = NULL;
}
if (rule_compile_state->exclude_not_conditions != NULL) {
free_bytes += utarray_size(rule_compile_state->exclude_not_conditions) *
@@ -987,35 +851,7 @@ void rule_compile_state_free(struct rule_compile_state *rule_compile_state,
rule_compile_state->exclude_not_conditions = NULL;
}
if (rule_compile_state->direct_hit_objects != NULL) {
free_bytes += utarray_size(rule_compile_state->direct_hit_objects) *
sizeof(struct maat_hit_object);
utarray_free(rule_compile_state->direct_hit_objects);
rule_compile_state->direct_hit_objects = NULL;
}
if (rule_compile_state->indirect_hit_objects != NULL) {
free_bytes += utarray_size(rule_compile_state->indirect_hit_objects) *
sizeof(struct maat_hit_object);
utarray_free(rule_compile_state->indirect_hit_objects);
rule_compile_state->indirect_hit_objects = NULL;
}
if (rule_compile_state->last_hit_objects != NULL) {
free_bytes += utarray_size(rule_compile_state->last_hit_objects) *
sizeof(struct maat_hit_object);
utarray_free(rule_compile_state->last_hit_objects);
rule_compile_state->last_hit_objects = NULL;
}
if (rule_compile_state->hit_rule_table_ids != NULL) {
free_bytes += utarray_size(rule_compile_state->hit_rule_table_ids) *
sizeof(struct rule2table_id);
utarray_free(rule_compile_state->hit_rule_table_ids);
rule_compile_state->hit_rule_table_ids = NULL;
}
free_bytes += rule_compile_state_hit_not_condition_objects_free(rule_compile_state);
//TODO: free attr_hit_objects_hashtbl
FREE(rule_compile_state);
@@ -1056,7 +892,7 @@ static int maat_rule_has_condition_query_key(struct maat_rule *rule,
for (size_t j = 0; j < utarray_len(condition->literals); j++) {
tmp_literal = (struct condition_literal *)utarray_eltptr(condition->literals, j);
if (strncmp(tmp_literal->attribute_name, key->attribute_name, sizeof(key->attribute_name)) != 0) {
if (strcmp(tmp_literal->attribute_name, key->attribute_name) != 0) {
continue;
}
@@ -1094,7 +930,7 @@ maat_rule_get_hit_condition_index(struct maat_rule *rule,
for (size_t j = 0; j < utarray_len(tmp_condition->literals); j++) {
tmp_literal = (struct condition_literal *)utarray_eltptr(tmp_condition->literals, j);
if (strncmp(tmp_literal->attribute_name, attribute_name, sizeof(tmp_literal->attribute_name)) != 0) {
if (strcmp(tmp_literal->attribute_name, attribute_name) != 0) {
continue;
}
@@ -1234,36 +1070,28 @@ size_t rule_runtime_get_hit_paths(struct rule_runtime *rule_rt, int thread_id,
static void
rule_compile_state_add_direct_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_item *hit_items,
size_t n_hit_items, const char *attribute_name)
size_t n_hit_items, struct attribute_hit_object_collection * attr_hit_obj_coll)
{
if (NULL == rule_compile_state || NULL == hit_items) {
return;
}
struct maat_hit_object hit_object;
for (size_t i = 0; i < n_hit_items; i++) {
uuid_copy(hit_object.item_uuid, hit_items[i].item_uuid);
uuid_copy(hit_object.object_uuid, hit_items[i].object_uuid);
snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name);
utarray_push_back(rule_compile_state->direct_hit_objects, &hit_object);
utarray_push_back(attr_hit_obj_coll->direct_items, &hit_items[i]);
}
}
static void
rule_compile_state_add_indirect_hit_objects(struct rule_compile_state *rule_compile_state,
uuid_t *object_uuids,
size_t n_object_uuids, const char *attribute_name)
uuid_t *object_uuids, size_t n_object_uuids,
struct attribute_hit_object_collection * attr_hit_obj_coll)
{
if (NULL == rule_compile_state || NULL == object_uuids) {
return;
}
struct maat_hit_object hit_object;
for (size_t i = 0; i < n_object_uuids; i++) {
uuid_clear(hit_object.item_uuid);
uuid_copy(hit_object.object_uuid, object_uuids[i]);
snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name);
utarray_push_back(rule_compile_state->indirect_hit_objects, &hit_object);
utarray_push_back(attr_hit_obj_coll->indirect_object_uuids, &object_uuids[i]);
}
}
@@ -1271,24 +1099,24 @@ static void
rule_compile_state_add_hit_conditions(struct rule_compile_state *rule_compile_state,
UT_array *condition_id_array)
{
size_t i = 0;
int condition_id_idx_array[utarray_len(condition_id_array)];
int condition_id_idx_array_len = 0;
long long *condition_id = NULL;
size_t new_condition_idx = utarray_len(rule_compile_state->this_scan_hit_conditions);
for (i = 0; i < utarray_len(condition_id_array); i++) {
for (size_t i = 0; i < utarray_len(condition_id_array); i++) {
condition_id = (long long *)utarray_eltptr(condition_id_array, i);
if (utarray_find(rule_compile_state->all_hit_conditions, condition_id, compare_condition_id)) {
continue;
}
utarray_push_back(rule_compile_state->this_scan_hit_conditions, condition_id);
condition_id_idx_array[condition_id_idx_array_len] = i;
condition_id_idx_array_len++;
}
if ((utarray_len(rule_compile_state->this_scan_hit_conditions) - new_condition_idx) > 0) {
utarray_reserve(rule_compile_state->all_hit_conditions,
utarray_len(rule_compile_state->this_scan_hit_conditions) - new_condition_idx);
if (condition_id_idx_array_len > 0) {
utarray_reserve(rule_compile_state->all_hit_conditions, condition_id_idx_array_len);
for (i = new_condition_idx; i < utarray_len(rule_compile_state->this_scan_hit_conditions); i++) {
condition_id = (long long *)utarray_eltptr(rule_compile_state->this_scan_hit_conditions, i);
for (size_t i = 0; i < condition_id_idx_array_len; i++) {
condition_id = (long long *)utarray_eltptr(condition_id_array, condition_id_idx_array[i]);
utarray_push_back(rule_compile_state->all_hit_conditions, condition_id);
}
utarray_sort(rule_compile_state->all_hit_conditions, compare_condition_id);
@@ -1299,26 +1127,39 @@ static void
rule_compile_state_add_exclude_not_conditions(struct rule_compile_state *rule_compile_state,
UT_array *condition_id_array)
{
int condition_id_idx_array[utarray_len(condition_id_array)];
int condition_id_idx_array_len = 0;
long long *condition_id = NULL;
for (size_t i = 0; i < utarray_len(condition_id_array); i++) {
long long *condition_id = (long long *)utarray_eltptr(condition_id_array, i);
if (utarray_find(rule_compile_state->exclude_not_conditions, condition_id,
compare_condition_id)) {
condition_id = (long long *)utarray_eltptr(condition_id_array, i);
if (utarray_find(rule_compile_state->exclude_not_conditions, condition_id, compare_condition_id)) {
continue;
}
utarray_push_back(rule_compile_state->exclude_not_conditions, condition_id);
condition_id_idx_array[condition_id_idx_array_len] = i;
condition_id_idx_array_len++;
}
if (condition_id_idx_array_len > 0) {
utarray_reserve(rule_compile_state->exclude_not_conditions, condition_id_idx_array_len);
for (size_t i = 0; i < condition_id_idx_array_len; i++) {
condition_id = (long long *)utarray_eltptr(condition_id_array, condition_id_idx_array[i]);
utarray_push_back(rule_compile_state->exclude_not_conditions, condition_id);
}
utarray_sort(rule_compile_state->exclude_not_conditions, compare_condition_id);
}
utarray_sort(rule_compile_state->exclude_not_conditions, compare_condition_id);
}
static void
rule_compile_state_add_hit_not_conditions(struct rule_compile_state *rule_compile_state,
UT_array *condition_id_array)
{
size_t i = 0;
{
int condition_id_idx_array[utarray_len(condition_id_array)];
int condition_id_idx_array_len = 0;
long long *condition_id = NULL;
size_t new_condition_idx = utarray_len(rule_compile_state->this_scan_hit_not_conditions);
for (i = 0; i < utarray_len(condition_id_array); i++) {
for (size_t i = 0; i < utarray_len(condition_id_array); i++) {
condition_id = (long long *)utarray_eltptr(condition_id_array, i);
if (utarray_find(rule_compile_state->all_hit_conditions, condition_id, compare_condition_id)) {
continue;
@@ -1327,125 +1168,21 @@ rule_compile_state_add_hit_not_conditions(struct rule_compile_state *rule_compil
if (utarray_find(rule_compile_state->exclude_not_conditions, condition_id, compare_condition_id)) {
continue;
}
utarray_push_back(rule_compile_state->this_scan_hit_not_conditions, condition_id);
condition_id_idx_array[condition_id_idx_array_len] = i;
condition_id_idx_array_len++;
}
if ((utarray_len(rule_compile_state->this_scan_hit_not_conditions) - new_condition_idx) > 0) {
utarray_reserve(rule_compile_state->all_hit_conditions,
utarray_len(rule_compile_state->this_scan_hit_not_conditions) - new_condition_idx);
if (condition_id_idx_array_len > 0) {
utarray_reserve(rule_compile_state->all_hit_conditions, condition_id_idx_array_len);
for (i = new_condition_idx; i < utarray_len(rule_compile_state->this_scan_hit_not_conditions); i++) {
condition_id = (long long *)utarray_eltptr(rule_compile_state->this_scan_hit_not_conditions, i);
for (size_t i = 0; i < condition_id_idx_array_len; i++) {
condition_id = (long long *)utarray_eltptr(condition_id_array, condition_id_idx_array[i]);
utarray_push_back(rule_compile_state->all_hit_conditions, condition_id);
}
utarray_sort(rule_compile_state->all_hit_conditions, compare_condition_id);
}
}
static void
rule_compile_state_update_hit_conditions(struct rule_compile_state *rule_compile_state,
struct rule_runtime *rule_rt,
uuid_t object_uuid, const char *attribute_name)
{
if (NULL == rule_compile_state || NULL == rule_rt) {
return;
}
struct condition_query_key key;
struct condition_id_kv *condition_id_kv = NULL;
memset(&key, 0, sizeof(key));
key.negate_option = 0;
snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attribute_name);
uuid_copy(key.object_uuid, object_uuid);
HASH_FIND(hh, rule_rt->condition_id_kv_hash, &key, sizeof(key), condition_id_kv);
if (condition_id_kv != NULL) {
rule_compile_state_add_hit_conditions(rule_compile_state, condition_id_kv->condition_ids);
}
key.negate_option = 1;
HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv);
if (condition_id_kv != NULL) {
rule_compile_state_add_exclude_not_conditions(rule_compile_state, condition_id_kv->condition_ids);
}
}
static void
rule_compile_state_cache_hit_not_objects(struct rule_compile_state *rule_compile_state,
struct rule_runtime *rule_rt,
uuid_t *hit_object_uuids,
size_t n_hit_object_uuid, const char *attribute_name)
{
if (NULL == rule_compile_state || NULL == rule_rt) {
return;
}
if (n_hit_object_uuid != 0) {
qsort(hit_object_uuids, n_hit_object_uuid, sizeof(uuid_t), compare_object_uuid);
}
struct negate_attribute_object *negate_attr_obj = NULL;
HASH_FIND_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj);
if (negate_attr_obj != NULL) {
for (size_t i = 0; i < n_hit_object_uuid; i++) {
uuid_t *object_uuid = (uuid_t *)utarray_find(negate_attr_obj->object_uuids,
&hit_object_uuids[i],
compare_object_uuid);
if (NULL == object_uuid) {
continue;
}
size_t remove_idx = utarray_eltidx(negate_attr_obj->object_uuids, object_uuid);
utarray_erase(negate_attr_obj->object_uuids, remove_idx, 1);
}
}
struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL;
HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) {
if (strncmp(condition_id_kv->key.attribute_name, attribute_name, strlen(attribute_name)) != 0) {
continue;
}
uuid_t *tmp_object_uuid =
bsearch(&(condition_id_kv->key.object_uuid), hit_object_uuids,
n_hit_object_uuid, sizeof(uuid_t), compare_object_uuid);
if (tmp_object_uuid != NULL) {
continue;
}
if (NULL == negate_attr_obj) {
negate_attr_obj = ALLOC(struct negate_attribute_object, 1);
snprintf(negate_attr_obj->attribute_name, sizeof(negate_attr_obj->attribute_name), "%s", attribute_name);
utarray_new(negate_attr_obj->object_uuids, &ut_rule_object_uuid_icd);
HASH_ADD_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj);
}
if (!utarray_find(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid),
compare_object_uuid)) {
utarray_push_back(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid));
}
}
if (negate_attr_obj != NULL) {
utarray_sort(negate_attr_obj->object_uuids, compare_object_uuid);
}
}
int rule_compile_state_get_rule_table_id(struct rule_compile_state *rule_compile_state,
uuid_t *rule_id)
{
struct rule2table_id *tmp = NULL;
tmp = utarray_find(rule_compile_state->hit_rule_table_ids, rule_id,
compare_rule_uuid);
if (NULL == tmp) {
return -1;
}
return tmp->table_id;
}
static int
rule_runtime_add_rule(struct rule_runtime *rule_rt,
struct rule_schema *schema,
@@ -1726,7 +1463,65 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids,
{
struct rule_compile_state *rule_compile_state = state->rule_compile_state;
struct rule_item *rule_items[rule_ids_size];
utarray_clear(rule_compile_state->all_hit_conditions);
utarray_clear(rule_compile_state->exclude_not_conditions);
struct attribute_hit_object_collection *attr_hit_obj_coll = NULL, *tmp = NULL;
HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj_coll, tmp) {
struct condition_query_key key;
memset(&key, 0, sizeof(key));
snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attr_hit_obj_coll->attribute_name);
for (int i = 0; i < utarray_len(attr_hit_obj_coll->all_object_uuids); i++) {
uuid_t *object_uuid = utarray_eltptr(attr_hit_obj_coll->all_object_uuids, i);
uuid_copy(key.object_uuid, *object_uuid);
key.negate_option = 0;
struct condition_id_kv *condition_id_kv = NULL;
HASH_FIND(hh, rule_rt->condition_id_kv_hash, &key, sizeof(key), condition_id_kv);
if (condition_id_kv != NULL) {
rule_compile_state_add_hit_conditions(rule_compile_state, condition_id_kv->condition_ids);
}
if (attr_hit_obj_coll->need_not_condition) {
key.negate_option = 1;
HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv);
if (condition_id_kv != NULL) {
rule_compile_state_add_exclude_not_conditions(rule_compile_state, condition_id_kv->condition_ids);
}
}
}
}
//not conditions
struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL;
HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) {
HASH_FIND_STR(rule_compile_state->attr_hit_objects_hashtbl, condition_id_kv->key.attribute_name, attr_hit_obj_coll);
if (attr_hit_obj_coll == NULL || attr_hit_obj_coll->need_not_condition == 0) {
continue;
}
uuid_t *object_uuid = bsearch(&(condition_id_kv->key.object_uuid),
utarray_eltptr(attr_hit_obj_coll->all_object_uuids, 0),
utarray_len(attr_hit_obj_coll->all_object_uuids),
sizeof(uuid_t), compare_object_uuid);
if (object_uuid != NULL) {
continue;
}
rule_compile_state_add_hit_not_conditions(rule_compile_state, condition_id_kv->condition_ids);
if (state->maat_inst->opts.hit_path_on) {
uuid_t null_uuid;
uuid_clear(null_uuid);
rule_compile_state_add_internal_hit_path(rule_compile_state, null_uuid,
condition_id_kv->key.object_uuid,
condition_id_kv->key.attribute_name, 1,
attr_hit_obj_coll->Nth_scan);
}
}
// all hit condition_id -> rule_id
size_t bool_match_ret =
maat_rule_bool_matcher_match(rule_rt, rule_compile_state,
@@ -1745,6 +1540,56 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids,
return MIN(bool_match_ret, rule_ids_size);
}
static struct attribute_hit_object_collection * rule_compile_state_get_attr_hit_obj_coll(struct maat *maat_inst, struct rule_compile_state *rule_compile_state,
const char *attribute_name)
{
struct attribute_hit_object_collection *attr_hit_obj_coll = NULL;
HASH_FIND_STR(rule_compile_state->attr_hit_objects_hashtbl, attribute_name, attr_hit_obj_coll);
if (attr_hit_obj_coll == NULL) {
attr_hit_obj_coll = ALLOC(struct attribute_hit_object_collection, 1);
snprintf(attr_hit_obj_coll->attribute_name, sizeof(attr_hit_obj_coll->attribute_name), "%s", attribute_name);
utarray_new(attr_hit_obj_coll->all_object_uuids, &ut_object_uuid_icd);
if (1 == maat_inst->opts.hit_object_on) {
utarray_new(attr_hit_obj_coll->direct_items, &ut_maat_item_icd);
utarray_new(attr_hit_obj_coll->indirect_object_uuids, &ut_object_uuid_icd);
}
HASH_ADD_STR(rule_compile_state->attr_hit_objects_hashtbl, attribute_name, attr_hit_obj_coll);
}
return attr_hit_obj_coll;
}
static void rule_compile_state_add_hit_objects(struct rule_compile_state *rule_compile_state,
struct attribute_hit_object_collection * attr_hit_obj_coll,
uuid_t object_uuids[], size_t n_object_uuids)
{
int object_uuid_idx_array[n_object_uuids];
int object_uuid_idx_array_len = 0;
uuid_t *object_uuid = NULL;
for (size_t i = 0; i < n_object_uuids; i++) {
object_uuid = object_uuids + i;
if (utarray_find(attr_hit_obj_coll->all_object_uuids, object_uuid, compare_object_uuid)) {
continue;
}
object_uuid_idx_array[object_uuid_idx_array_len] = i;
object_uuid_idx_array_len++;
}
if (object_uuid_idx_array_len > 0) {
utarray_reserve(attr_hit_obj_coll->all_object_uuids, object_uuid_idx_array_len);
for (size_t i = 0; i < object_uuid_idx_array_len; i++) {
object_uuid = object_uuids + object_uuid_idx_array[i];
utarray_push_back(attr_hit_obj_coll->all_object_uuids, object_uuid);
}
utarray_sort(attr_hit_obj_coll->all_object_uuids, compare_object_uuid);
}
return;
}
int rule_compile_state_update(struct rule_compile_state *rule_compile_state, struct maat *maat_inst,
const char *attribute_name, int custom_rule_tbl_id, int Nth_scan,
struct maat_item *hit_items, size_t n_hit_item)
@@ -1752,19 +1597,11 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str
size_t i = 0, j = 0;
size_t hit_cnt = n_hit_item;
uuid_t hit_object_uuids[MAX_HIT_OBJECT_NUM];
struct maat_hit_object hit_object;
utarray_clear(rule_compile_state->this_scan_hit_conditions);
rule_compile_state->this_scan_not_logic = 0;
rule_compile_state->Nth_scan = Nth_scan;
for (i = 0; i < hit_cnt; i++) {
uuid_copy(hit_object_uuids[i], hit_items[i].object_uuid);
uuid_copy(hit_object.item_uuid, hit_items[i].item_uuid);
uuid_copy(hit_object.object_uuid, hit_items[i].object_uuid);
snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name);
utarray_push_back(rule_compile_state->last_hit_objects, &hit_object);
}
int object_group_table_id = table_manager_get_object_group_table_id(maat_inst->tbl_mgr);
@@ -1774,12 +1611,9 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str
size_t super_object_cnt = object_group_runtime_get_super_objects(object_group_rt, hit_object_uuids,
hit_cnt, super_object_uuids,
MAX_HIT_OBJECT_NUM);
for (i = 0; i < super_object_cnt; i++) {
uuid_clear(hit_object.item_uuid);
uuid_copy(hit_object.object_uuid, super_object_uuids[i]);
snprintf(hit_object.attribute_name, sizeof(hit_object.attribute_name), "%s", attribute_name);
utarray_push_back(rule_compile_state->last_hit_objects, &hit_object);
}
struct attribute_hit_object_collection * attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
if (1 == maat_inst->opts.hit_path_on && hit_cnt > 0) {
for (i = 0; i < hit_cnt; i++) {
@@ -1789,157 +1623,127 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str
}
if (1 == maat_inst->opts.hit_object_on) {
rule_compile_state_add_direct_hit_objects(rule_compile_state, hit_items, hit_cnt, attribute_name);
rule_compile_state_add_direct_hit_objects(rule_compile_state, hit_items, hit_cnt, attr_hit_obj_coll);
rule_compile_state_add_indirect_hit_objects(rule_compile_state, super_object_uuids,
super_object_cnt, attribute_name);
}
/* update hit condition */
int rule_table_id = table_manager_get_default_rule_table_id(maat_inst->tbl_mgr);
if (custom_rule_tbl_id > 0) {
rule_table_id = custom_rule_tbl_id;
}
struct rule_runtime *rule_rt = table_manager_get_runtime(maat_inst->tbl_mgr,
rule_table_id);
if (NULL == rule_rt) {
return 0;
super_object_cnt, attr_hit_obj_coll);
}
for (j = 0; j < super_object_cnt && hit_cnt < MAX_HIT_OBJECT_NUM; j++) {
uuid_copy(hit_object_uuids[hit_cnt++], super_object_uuids[j]);
}
for (i = 0; i < hit_cnt; i++) {
rule_compile_state_update_hit_conditions(rule_compile_state, rule_rt,
hit_object_uuids[i], attribute_name);
}
rule_compile_state_add_hit_objects(rule_compile_state, attr_hit_obj_coll, hit_object_uuids, hit_cnt);
rule_compile_state_cache_hit_not_objects(rule_compile_state, rule_rt, hit_object_uuids,
hit_cnt, attribute_name);
return hit_cnt;
}
void rule_compile_state_clear_last_hit_object(struct rule_compile_state *rule_compile_state)
void rule_compile_state_not_logic_update(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name, int Nth_scan)
{
if (NULL == rule_compile_state) {
if (NULL == maat_inst || NULL == rule_compile_state) {
return;
}
utarray_clear(rule_compile_state->last_hit_objects);
}
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
void rule_compile_state_not_logic_update(struct rule_compile_state *rule_compile_state,
struct rule_runtime *rule_rt,
struct maat *maat_inst, const char *attribute_name,
int Nth_scan)
{
if (NULL == rule_compile_state || NULL == maat_inst) {
return;
}
rule_compile_state->this_scan_not_logic = 1;
attr_hit_obj_coll->need_not_condition = 1;
rule_compile_state->Nth_scan = Nth_scan;
utarray_clear(rule_compile_state->this_scan_hit_not_conditions);
struct negate_attribute_object *negate_attr_obj = NULL;
HASH_FIND_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj);
if (NULL == negate_attr_obj) {
return;
return;
}
size_t rule_compile_state_get_indirect_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state,
const char *attribute_name, uuid_t object_array[], size_t array_size)
{
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
size_t i = 0;
for (i = 0; i < utarray_len(attr_hit_obj_coll->indirect_object_uuids) && i < array_size; i++) {
uuid_copy(object_array[i], *(uuid_t *)utarray_eltptr(attr_hit_obj_coll->indirect_object_uuids, i));
}
struct condition_id_kv *condition_id_kv = NULL;
for (size_t i = 0; i < utarray_len(negate_attr_obj->object_uuids); i++) {
struct condition_query_key key;
utarray_clear(attr_hit_obj_coll->indirect_object_uuids);
uuid_t *object_uuid = utarray_eltptr(negate_attr_obj->object_uuids, i);
memset(&key, 0, sizeof(key));
snprintf(key.attribute_name, sizeof(key.attribute_name), "%s", attribute_name);
key.negate_option = 1;
uuid_copy(key.object_uuid, *object_uuid);
HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv);
if (NULL == condition_id_kv) {
continue;
}
return i;
}
rule_compile_state_add_hit_not_conditions(rule_compile_state, condition_id_kv->condition_ids);
if (1 == maat_inst->opts.hit_path_on) {
uuid_t null_uuid;
uuid_clear(null_uuid);
rule_compile_state_add_internal_hit_path(rule_compile_state, null_uuid, *object_uuid,
attribute_name, 1, Nth_scan);
size_t rule_compile_state_get_indirect_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name)
{
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
return utarray_len(attr_hit_obj_coll->indirect_object_uuids);
}
size_t rule_compile_state_get_direct_hit_items(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name,
uuid_t item_array[], uuid_t direct_object_array[], size_t array_size)
{
size_t i = 0;
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
for (i = 0; i < utarray_len(attr_hit_obj_coll->direct_items) && i < array_size; i++) {
struct maat_item *item = (struct maat_item *)utarray_eltptr(attr_hit_obj_coll->direct_items, i);
uuid_copy(direct_object_array[i], item->object_uuid);
uuid_copy(item_array[i], item->item_uuid);
}
utarray_clear(attr_hit_obj_coll->direct_items);
return i;
}
size_t rule_compile_state_get_direct_hit_item_cnt(struct maat * maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name)
{
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
return utarray_len(attr_hit_obj_coll->direct_items);
}
size_t rule_compile_state_get_hit_objects(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name,
uuid_t object_array[], size_t array_size)
{
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
size_t i = 0;
for (i = 0; i < utarray_len(attr_hit_obj_coll->all_object_uuids) && i < array_size; i++) {
uuid_copy(object_array[i], *(uuid_t *)utarray_eltptr(attr_hit_obj_coll->all_object_uuids, i));
}
utarray_clear(attr_hit_obj_coll->all_object_uuids);
return i;
}
size_t rule_compile_state_get_hit_object_cnt(struct maat *maat_inst, struct rule_compile_state *rule_compile_state, const char *attribute_name)
{
struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
assert(attr_hit_obj_coll != NULL);
return utarray_len(attr_hit_obj_coll->all_object_uuids);
}
size_t rule_compile_state_get_attribute_names(struct rule_compile_state *rule_compile_state, const char *attribute_name_array[], size_t array_size)
{
size_t i = 0;
struct attribute_hit_object_collection *attr_hit_obj_coll = NULL, *tmp = NULL;
HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj_coll, tmp) {
attribute_name_array[i] = attr_hit_obj_coll->attribute_name;
i++;
if (i >= array_size) {
break;
}
}
}
size_t rule_compile_state_get_indirect_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_hit_object *object_array,
size_t array_size)
{
size_t i = 0;
struct maat_hit_object *hit_object = NULL;
for (i = 0; i < utarray_len(rule_compile_state->indirect_hit_objects) && i < array_size; i++) {
hit_object =
(struct maat_hit_object *)utarray_eltptr(rule_compile_state->indirect_hit_objects, i);
uuid_copy(object_array[i].item_uuid, hit_object->item_uuid);
uuid_copy(object_array[i].object_uuid, hit_object->object_uuid);
memcpy(object_array[i].attribute_name, hit_object->attribute_name, sizeof(object_array[i].attribute_name));
}
utarray_clear(rule_compile_state->indirect_hit_objects);
return i;
}
size_t rule_compile_state_get_indirect_hit_object_cnt(struct rule_compile_state *rule_compile_state)
size_t rule_compile_state_get_attribute_cnt(struct rule_compile_state *rule_compile_state)
{
return utarray_len(rule_compile_state->indirect_hit_objects);
}
size_t rule_compile_state_get_last_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_hit_object *object_array,
size_t array_size)
{
size_t i = 0;
for (i = 0; i < utarray_len(rule_compile_state->last_hit_objects) && i < array_size; i++) {
object_array[i] =
*(struct maat_hit_object *)utarray_eltptr(rule_compile_state->last_hit_objects, i);
}
return i;
}
size_t rule_compile_state_get_last_hit_object_cnt(struct rule_compile_state *rule_compile_state)
{
return utarray_len(rule_compile_state->last_hit_objects);
}
size_t rule_compile_state_get_direct_hit_objects(struct rule_compile_state *rule_compile_state,
struct maat_hit_object *object_array,
size_t array_size)
{
UT_array *direct_hit_object = rule_compile_state->direct_hit_objects;
size_t i = 0;
struct maat_hit_object *object = NULL;
for (i = 0; i < utarray_len(direct_hit_object) && i < array_size; i++) {
object = (struct maat_hit_object *)utarray_eltptr(direct_hit_object, i);
uuid_copy(object_array[i].item_uuid, object->item_uuid);
uuid_copy(object_array[i].object_uuid, object->object_uuid);
memcpy(object_array[i].attribute_name, object->attribute_name, sizeof(object_array[i].attribute_name));
}
utarray_clear(rule_compile_state->direct_hit_objects);
return i;
}
size_t rule_compile_state_get_direct_hit_object_cnt(struct rule_compile_state *rule_compile_state)
{
return utarray_len(rule_compile_state->direct_hit_objects);
return HASH_COUNT(rule_compile_state->attr_hit_objects_hashtbl);
}
size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule_compile_state,
@@ -1959,7 +1763,7 @@ size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule
*/
uuid_t super_object_uuids[MAX_HIT_OBJECT_NUM];
UT_array *valid_super_object_uuids;
utarray_new(valid_super_object_uuids, &ut_rule_object_uuid_icd);
utarray_new(valid_super_object_uuids, &ut_object_uuid_icd);
size_t super_object_cnt =
object_group_runtime_get_super_objects(object_group_rt, &(internal_path->object_uuid), 1,

30
test/maat_framework_gtest.cpp
View File

@@ -1343,7 +1343,6 @@ TEST_P(StringScan, StreamHitDirectObject) {
state = NULL;
}
//TODO
TEST_P(StringScan, StreamLiteralPrefix)
{
uuid_t results[ARRAY_SIZE];
@@ -2529,35 +2528,6 @@ TEST_F(ObjectScan, Attribute) {
sleep(2);
}
TEST_F(ObjectScan, SetScanRuleTable) {
uuid_t results[ARRAY_SIZE];
size_t n_hit_result = 0;
int thread_id = 0;
const char *table_name = "KEYWORDS_TABLE";
const char *attribute_name = "KEYWORDS_TABLE";
struct maat *maat_inst = ObjectScan::_shared_maat_inst;
struct maat_state *state = maat_state_new(maat_inst, thread_id);
const char *rule_table_name = "RULE_FIREWALL_CONJUNCTION";
int ret = maat_state_set_scan_rule_table(state, rule_table_name);
EXPECT_EQ(ret, 0);
struct maat_hit_object hit_object;
uuid_parse("00000000-0000-0000-0000-000000000248", hit_object.object_uuid);
ret = maat_scan_object(maat_inst, table_name, attribute_name, &hit_object, 1, results,
ARRAY_SIZE, &n_hit_result, state);
EXPECT_EQ(ret, MAAT_SCAN_HIT);
EXPECT_EQ(n_hit_result, 1);
char uuid_str[UUID_STR_LEN] = {0};
uuid_unparse(results[0], uuid_str);
EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000000227");
maat_state_free(state);
state = NULL;
sleep(2);
}
class NOTLogic : public testing::Test
{
protected:

19
test/maat_json.json
View File

@@ -3845,25 +3845,6 @@
}
]
},
{
"uuid": "00000000-0000-0000-0000-000000000227",
"service": 1,
"action": 1,
"do_blacklist": 1,
"do_log": 1,
"action_parameter": "maat_scan_object",
"rule_table_name": "RULE_FIREWALL_DEFAULT",
"is_valid": "yes",
"and_conditions": [
{
"attribute_name": "KEYWORDS_TABLE",
"object_name": "227_url_object",
"object_uuids": [
"00000000-0000-0000-0000-000000000248"
]
}
]
},
{
"uuid": "00000000-0000-0000-0000-000000000228",
"service": 1,