complete new api and test case

include/maat.h

@@ -296,7 +296,7 @@ struct maat_state *maat_state_new(struct maat *instance, int thread_id);
  * @param ex_data_array:  rule ex_data array
  * @param n_result:       the size of rule_array and ex_data_array
 */
-size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result);
+size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], size_t n_result);
 
 void maat_state_reset(struct maat_state *state);
 

scanner/expr_matcher/adapter_hs/adapter_hs.cpp

@@ -341,7 +341,6 @@ static int matched_event_cb(unsigned int id, unsigned long long from,
     return 0;
 }
 
-UT_icd ut_hs_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL};
 void *hs_lit_stream_open(void *hs_lit_engine, int thread_id)
 {
     if (NULL == hs_lit_engine || thread_id < 0) {

scanner/expr_matcher/adapter_rs/adapter_rs.cpp

@@ -313,7 +313,6 @@ void rs_lit_engine_free(void *rs_lit_engine)
     FREE(rs_lit_inst);
 }
 
-UT_icd ut_rs_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL};
 void *rs_lit_engine_new(struct expr_rule *rules, size_t n_rule,
                          struct pattern_attribute *pat_attr,
                          void *rs_lit_db, size_t n_thread,

scanner/expr_matcher/expr_matcher.cpp

@@ -65,7 +65,7 @@ struct db_operations {
     int (*build_db)(void **lit_db, void *compile_data, struct log_handle *logger);
 };
 
-UT_icd ut_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL};
+static UT_icd ut_pattern_id_icd = {sizeof(unsigned long long), NULL, NULL, NULL};
 
 struct db_operations db_ops[EXPR_ENGINE_TYPE_AUTO] = {
     {

scanner/ipport_matcher/ipport_matcher.c

@@ -35,7 +35,7 @@ struct ipport_matcher {
     struct ip_matcher *ip_matcher;
 };
 
-UT_icd ut_port_range_icd = {sizeof(struct port_range), NULL, NULL, NULL};
+static UT_icd ut_port_range_icd = {sizeof(struct port_range), NULL, NULL, NULL};
 static inline int compare_port_range_for_sort(const void *a, const void *b)
 {
     struct port_range range_a = *(const struct port_range *)a;

src/maat_api.c

@@ -1170,7 +1170,7 @@ string_scan(struct table_manager *tbl_mgr, int thread_id,
     return object_hit_cnt;
 }
 
-size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], void *ex_data_array[], size_t n_result)
+size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid_t rule_array[], size_t n_result)
 {
     int table_id = maat_get_table_id(state->maat_inst, table_name);
     if (table_id < 0) {
@@ -1183,16 +1183,10 @@ size_t maat_state_compile(struct maat_state *state, const char *table_name, uuid
     }
 
     int rule_num = rule_runtime_match((struct rule_runtime *)rule_rt, rule_array, n_result, state);
-    if (rule_num <= 0) {
-        return 0;
+    if (rule_num > 0) {
+        alignment_int64_array_add(state->maat_inst->stat->hit_rule_cnt, state->thread_id, rule_num);
     }
 
-    for (int i = 0; i < rule_num; i++) {
-        ex_data_array[i] = maat_plugin_table_get_ex_data(state->maat_inst, table_name, (char*)&rule_array[i], sizeof(uuid_t));
-    }
-
-    alignment_int64_array_add(state->maat_inst->stat->hit_rule_cnt, state->thread_id, rule_num);
-
     return rule_num;
 }
 

src/maat_ex_data.c

@@ -54,7 +54,7 @@ void cache_row_copy(void *dst, const void *src)
     ex_data_row_dst->op = ex_data_row_src->op;
 }
 
-UT_icd ut_cache_row_icd = {sizeof(struct ex_data_row), NULL, cache_row_copy, cache_row_free};
+static UT_icd ut_cache_row_icd = {sizeof(struct ex_data_row), NULL, cache_row_copy, cache_row_free};
 
 struct ex_data_runtime *
 ex_data_runtime_new(int table_id, int gc_timeout_s, struct log_handle *logger)

src/maat_object.c

@@ -69,7 +69,7 @@ struct object_group_runtime {
     struct log_handle *logger;
 };
 
-UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL};
+static UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL};
 
 static inline int compare_object_uuid(const void *a, const void *b)
 {

src/maat_rule.c

@@ -71,9 +71,11 @@ struct table_condition {
 struct attribute_hit_object_collection {
     char attribute_name[MAX_ATTR_NAME_LEN];
     UT_array *direct_items;
-    UT_array *indirect_object_uuids;//TODO: ??????? change it to graph?
+    UT_array *indirect_object_uuids;//TODO: change it to graph?
     UT_array *all_object_uuids;
-    int need_not_condition;
+    UT_array *negate_object_uuids;
+    int need_negate_condition;
+    int need_scan_not_object;
     int Nth_scan;
     UT_hash_handle hh;
 };
@@ -142,11 +144,11 @@ struct rule_compile_state {
     struct attribute_hit_object_collection *attr_hit_objects_hashtbl;
 };
 
-UT_icd ut_condition_id_icd = {sizeof(long long), NULL, NULL, NULL};
-UT_icd ut_condition_literal_icd = {sizeof(struct condition_literal), NULL, NULL, NULL};
-UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL};
-UT_icd ut_maat_item_icd = {sizeof(struct maat_item), NULL, NULL, NULL};
-UT_icd ut_hit_path_icd = {sizeof(struct internal_hit_path), NULL, NULL, NULL};
+static UT_icd ut_condition_id_icd = {sizeof(long long), NULL, NULL, NULL};
+static UT_icd ut_condition_literal_icd = {sizeof(struct condition_literal), NULL, NULL, NULL};
+static UT_icd ut_object_uuid_icd = {sizeof(uuid_t), NULL, NULL, NULL};
+static UT_icd ut_maat_item_icd = {sizeof(struct maat_item), NULL, NULL, NULL};
+static UT_icd ut_hit_path_icd = {sizeof(struct internal_hit_path), NULL, NULL, NULL};
 
 static void rule_item_free(struct rule_item *item)
 {
@@ -818,7 +820,21 @@ void rule_compile_state_reset(struct rule_compile_state *rule_compile_state)
 
     struct attribute_hit_object_collection *attr_hit_obj = NULL, *tmp_hit_attr_obj = NULL;
     HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj, tmp_hit_attr_obj) {
-        //TODO: clear
+        if (attr_hit_obj->direct_items != NULL) {
+            utarray_clear(attr_hit_obj->direct_items);
+        }
+
+        if (attr_hit_obj->indirect_object_uuids != NULL) {
+            utarray_clear(attr_hit_obj->indirect_object_uuids);
+        }
+
+        if (attr_hit_obj->all_object_uuids != NULL) {
+            utarray_clear(attr_hit_obj->all_object_uuids);
+        }
+
+        attr_hit_obj->need_negate_condition = 0;
+        attr_hit_obj->need_scan_not_object = 0;
+        attr_hit_obj->Nth_scan = 0;
     }
 }
 
@@ -851,7 +867,30 @@ void rule_compile_state_free(struct rule_compile_state *rule_compile_state,
         rule_compile_state->exclude_not_conditions = NULL;
     }
 
-    //TODO: free attr_hit_objects_hashtbl
+    struct attribute_hit_object_collection *attr_hit_obj = NULL, *tmp_hit_attr_obj = NULL;
+    HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj, tmp_hit_attr_obj) {
+        if (attr_hit_obj->direct_items != NULL) {
+            free_bytes += utarray_size(attr_hit_obj->direct_items) * sizeof(struct maat_item);
+            utarray_free(attr_hit_obj->direct_items);
+            attr_hit_obj->direct_items = NULL;
+        }
+
+        if (attr_hit_obj->indirect_object_uuids != NULL) {
+            free_bytes += utarray_size(attr_hit_obj->indirect_object_uuids) * sizeof(uuid_t);
+            utarray_free(attr_hit_obj->indirect_object_uuids);
+            attr_hit_obj->indirect_object_uuids = NULL;
+        }
+
+        if (attr_hit_obj->all_object_uuids != NULL) {
+            free_bytes += utarray_size(attr_hit_obj->all_object_uuids) * sizeof(uuid_t);
+            utarray_free(attr_hit_obj->all_object_uuids);
+            attr_hit_obj->all_object_uuids = NULL;
+        }
+
+        HASH_DEL(rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj);
+        free_bytes += sizeof(struct attribute_hit_object_collection);
+        FREE(attr_hit_obj);
+    }
 
 	FREE(rule_compile_state);
 
@@ -1463,6 +1502,7 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids,
 {
     struct rule_compile_state *rule_compile_state = state->rule_compile_state;
     struct rule_item *rule_items[rule_ids_size];
+    int clear_scan_not_obj_flag = 0;
 
     utarray_clear(rule_compile_state->all_hit_conditions);
     utarray_clear(rule_compile_state->exclude_not_conditions);
@@ -1484,7 +1524,7 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids,
                 rule_compile_state_add_hit_conditions(rule_compile_state, condition_id_kv->condition_ids);
             }
         
-            if (attr_hit_obj_coll->need_not_condition) {
+            if (attr_hit_obj_coll->need_negate_condition) {
                 key.negate_option = 1;
                 HASH_FIND(hh, rule_rt->not_condition_id_kv_hash, &key, sizeof(key), condition_id_kv);
                 if (condition_id_kv != NULL) {
@@ -1492,27 +1532,27 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids,
                 }
             }
         }
+
+        if (attr_hit_obj_coll->need_scan_not_object) {
+            clear_scan_not_obj_flag = 1;
+        }
     }
 
     //not conditions
     struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL;
     HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) {
         HASH_FIND_STR(rule_compile_state->attr_hit_objects_hashtbl, condition_id_kv->key.attribute_name, attr_hit_obj_coll);
-        if (attr_hit_obj_coll == NULL || attr_hit_obj_coll->need_not_condition == 0) {
+        if (attr_hit_obj_coll == NULL || attr_hit_obj_coll->need_negate_condition == 0) {
             continue;
         }
 
-        uuid_t *object_uuid = bsearch(&(condition_id_kv->key.object_uuid),
-                                      utarray_eltptr(attr_hit_obj_coll->all_object_uuids, 0),
-                                      utarray_len(attr_hit_obj_coll->all_object_uuids),
-                                      sizeof(uuid_t), compare_object_uuid);
-        if (object_uuid != NULL) {
+        if (utarray_find(attr_hit_obj_coll->all_object_uuids, &(condition_id_kv->key.object_uuid), compare_object_uuid) != NULL) {
             continue;
         }
 
         rule_compile_state_add_hit_not_conditions(rule_compile_state, condition_id_kv->condition_ids);
 
-        if (state->maat_inst->opts.hit_path_on) {
+        if (state->maat_inst->opts.hit_path_on && attr_hit_obj_coll->need_scan_not_object) {
             uuid_t null_uuid;
             uuid_clear(null_uuid);
             rule_compile_state_add_internal_hit_path(rule_compile_state, null_uuid,
@@ -1522,6 +1562,14 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids,
         }
     }
 
+    if (clear_scan_not_obj_flag) {
+        HASH_ITER(hh, rule_compile_state->attr_hit_objects_hashtbl, attr_hit_obj_coll, tmp) {
+            if (attr_hit_obj_coll->need_scan_not_object) {
+                attr_hit_obj_coll->need_scan_not_object = 0;
+            }
+        }
+    }
+
     // all hit condition_id -> rule_id
     size_t bool_match_ret =
         maat_rule_bool_matcher_match(rule_rt, rule_compile_state,
@@ -1646,8 +1694,9 @@ void rule_compile_state_not_logic_update(struct maat *maat_inst, struct rule_com
     struct attribute_hit_object_collection *attr_hit_obj_coll = rule_compile_state_get_attr_hit_obj_coll(maat_inst, rule_compile_state, attribute_name);
     assert(attr_hit_obj_coll != NULL);
 
-    attr_hit_obj_coll->need_not_condition = 1;
-    rule_compile_state->Nth_scan = Nth_scan;
+    attr_hit_obj_coll->need_negate_condition = 1;
+    attr_hit_obj_coll->need_scan_not_object = 1;
+    attr_hit_obj_coll->Nth_scan = Nth_scan;
 
     return;
 }
@@ -1713,8 +1762,6 @@ size_t rule_compile_state_get_hit_objects(struct maat *maat_inst, struct rule_co
         uuid_copy(object_array[i], *(uuid_t *)utarray_eltptr(attr_hit_obj_coll->all_object_uuids, i));
     }
 
-    utarray_clear(attr_hit_obj_coll->all_object_uuids);
-
     return i;
 }
 

test/object_nesting/object_nesting_gtest.cpp

@@ -31,7 +31,7 @@ struct object_group_rule {
     struct object_item del_items[MAX_ITEM_NUM];
 };
 
-UT_icd ut_ex_object_id_icd = {sizeof(long long), NULL, NULL, NULL};
+static UT_icd ut_ex_object_id_icd = {sizeof(long long), NULL, NULL, NULL};
 
 static int
 parse_config_file(const char *filename, struct object_group_rule *rules)