From 70c2166fc75833d92b3264c1e4751e6a905ab19f Mon Sep 17 00:00:00 2001
From: fengweihao <fengweihao@iie.ac.cn>
Date: Tue, 25 May 2021 18:23:03 +0800
Subject: [PATCH] =?UTF-8?q?TSG-6440=20=E4=BF=AE=E5=A4=8D=E7=AD=96=E7=95=A5?=
 =?UTF-8?q?=E5=85=B3=E4=BA=8E=E5=AE=89=E5=85=A8=E7=AD=96=E7=95=A5=E4=BC=98?=
 =?UTF-8?q?=E5=85=88=E7=BA=A7=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scan/src/policy_scan.cpp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/scan/src/policy_scan.cpp b/scan/src/policy_scan.cpp
index 2193389..6a78111 100644
--- a/scan/src/policy_scan.cpp
+++ b/scan/src/policy_scan.cpp
@@ -492,7 +492,7 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
 }
 #endif
 
-static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
+static enum pangu_action decide_ctrl_action(enum verify_policy_type policy_type, const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
 {
 	size_t n_monit = 0, exist_enforce_num = 0, i = 0;
 	const struct Maat_rule_t * prior_rule = hit_rules;
@@ -538,6 +538,12 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
 		return PG_ACTION_WHITELIST;
 	}
 
+	size_t monit_enable=1;
+	if(policy_type == PXY_TABLE_SECURITY && n_monit != n_hit)
+	{
+		monit_enable=0;
+	}
+
 	exist_enforce_num = *n_enforce;
 	if (prior_action == PG_ACTION_MONIT)
 	{
@@ -549,7 +555,7 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
 	}
 
 	*enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
-	if (prior_action == PG_ACTION_MONIT)
+	if (prior_action == PG_ACTION_MONIT && monit_enable)
 	{
 		memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
 	}
@@ -557,7 +563,10 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
 	{
 		memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
 		memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
-		memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+		if(monit_enable)
+		{
+			memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+		}
 	}
 	return prior_action;
 }
@@ -740,7 +749,7 @@ int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJ
 
 	if (hit_cnt >= MAX_SCAN_RESULT)	hit_cnt = MAX_SCAN_RESULT;
 
-	ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
+	ctx->action = decide_ctrl_action(policy_type, ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
 	ctx->hit_cnt = hit_cnt;
 	cJSON  *hit_obj=NULL, *policy_obj=NULL;
 	hit_obj=cJSON_CreateArray();