gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-6440 修复策略关于安全策略优先级问题

Browse Source
This commit is contained in:
fengweihao
2021-05-25 18:23:03 +08:00
parent f234ad19c0
commit 70c2166fc7
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scan/src/policy_scan.cpp
View File

@@ -492,7 +492,7 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
}
#endif
static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
static enum pangu_action decide_ctrl_action(enum verify_policy_type policy_type, const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
{
size_t n_monit = 0, exist_enforce_num = 0, i = 0;
const struct Maat_rule_t * prior_rule = hit_rules;
@@ -538,6 +538,12 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
return PG_ACTION_WHITELIST;
}
size_t monit_enable=1;
if(policy_type == PXY_TABLE_SECURITY && n_monit != n_hit)
{
monit_enable=0;
}
exist_enforce_num = *n_enforce;
if (prior_action == PG_ACTION_MONIT)
{
@@ -549,7 +555,7 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
}
*enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
if (prior_action == PG_ACTION_MONIT)
if (prior_action == PG_ACTION_MONIT && monit_enable)
{
memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
}
@@ -557,8 +563,11 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
{
memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
if(monit_enable)
{
memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
}
}
return prior_action;
}
@@ -740,7 +749,7 @@ int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJ
if (hit_cnt >= MAX_SCAN_RESULT) hit_cnt = MAX_SCAN_RESULT;
ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
ctx->action = decide_ctrl_action(policy_type, ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
ctx->hit_cnt = hit_cnt;
cJSON *hit_obj=NULL, *policy_obj=NULL;
hit_obj=cJSON_CreateArray();