feature: TSG-17786 TFE增加对intercept策略的排序功能

2023-11-21 16:41:59 +08:00
parent 30922a45a8
commit 70dab4a183
5 changed files with 74 additions and 10 deletions
--- a/common/src/intercept_policy.cpp
+++ b/common/src/intercept_policy.cpp
@@ -244,6 +244,62 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer
    }
 }

+// return  0 : success
+// return -1 : error (need passthrough)
+int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t *rule_id_array, int rule_id_num, uint64_t *selected_rule_id)
+{
+    uint64_t rule_id = 0;
+    uint8_t is_hit_intercept_rule = 0;
+    uint8_t is_hit_no_intercept_rule = 0;
+    uint64_t max_intercept_rule_id = 0;
+    uint64_t max_no_intercept_rule_id = 0;
+
+    char buff[16] = {0};
+    struct intercept_param *param = NULL;
+
+    for (int i = 0; i < rule_id_num; i++)
+    {
+        rule_id = rule_id_array[i];
+        snprintf(buff, sizeof(buff), "%lu", rule_id);
+        param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, buff, strlen(buff));
+        if (param == NULL)
+        {
+            TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id);
+            continue;
+        }
+
+        // intercept
+        if (param->action == 2)
+        {
+            is_hit_intercept_rule = 1;
+            max_intercept_rule_id = MAX(max_intercept_rule_id, rule_id);
+            TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is intercept.", i, rule_id_num, rule_id);
+        }
+        // not intercept
+        else
+        {
+            is_hit_no_intercept_rule = 1;
+            max_no_intercept_rule_id = MAX(max_no_intercept_rule_id, rule_id);
+            TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is no intercept.", i, rule_id_num, rule_id);
+        }
+    }
+
+    if (is_hit_no_intercept_rule)
+    {
+        *selected_rule_id = max_no_intercept_rule_id;
+        return 0;
+    }
+
+    if (is_hit_intercept_rule)
+    {
+        *selected_rule_id = max_intercept_rule_id;
+        return 0;
+    }
+
+    // no policy get, passthrough
+    return -1;
+}
+
 // return  0 : success
 // return -1 : error (need passthrough)
 int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg)