gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-6440 修复策略关于安全策略优先级问题

Browse Source
This commit is contained in:
fengweihao
2021-05-25 18:23:03 +08:00
parent f234ad19c0
commit 70c2166fc7
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scan/src/policy_scan.cpp
View File

@@ -492,7 +492,7 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
} }
#endif #endif
static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce) static enum pangu_action decide_ctrl_action(enum verify_policy_type policy_type, const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
{ {
size_t n_monit = 0, exist_enforce_num = 0, i = 0; size_t n_monit = 0, exist_enforce_num = 0, i = 0;
const struct Maat_rule_t * prior_rule = hit_rules; const struct Maat_rule_t * prior_rule = hit_rules;
@@ -538,6 +538,12 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
return PG_ACTION_WHITELIST; return PG_ACTION_WHITELIST;
} }
size_t monit_enable=1;
if(policy_type == PXY_TABLE_SECURITY && n_monit != n_hit)
{
monit_enable=0;
}
exist_enforce_num = *n_enforce; exist_enforce_num = *n_enforce;
if (prior_action == PG_ACTION_MONIT) if (prior_action == PG_ACTION_MONIT)
{ {
@@ -549,7 +555,7 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
} }
*enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce)); *enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
if (prior_action == PG_ACTION_MONIT) if (prior_action == PG_ACTION_MONIT && monit_enable)
{ {
memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t)); memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
} }
@@ -557,8 +563,11 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
{ {
memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t)); memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t)); memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
if(monit_enable)
{
memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t)); memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
} }
}
return prior_action; return prior_action;
} }
@@ -740,7 +749,7 @@ int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJ
if (hit_cnt >= MAX_SCAN_RESULT) hit_cnt = MAX_SCAN_RESULT; if (hit_cnt >= MAX_SCAN_RESULT) hit_cnt = MAX_SCAN_RESULT;
ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce); ctx->action = decide_ctrl_action(policy_type, ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
ctx->hit_cnt = hit_cnt; ctx->hit_cnt = hit_cnt;
cJSON *hit_obj=NULL, *policy_obj=NULL; cJSON *hit_obj=NULL, *policy_obj=NULL;
hit_obj=cJSON_CreateArray(); hit_obj=cJSON_CreateArray();