gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

管控安全策略命中测试通过版本提交

Browse Source 
1.增加ip转ipaddr接口
2.删除对扫描内容的额外处理
3.修改回复数据的json格式
4.配置文件命名修改
This commit is contained in:
fengweihao
2020-01-20 18:22:36 +08:00
parent faf21bde42
commit c2a5f7b772
6 changed files with 100 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/include/verify_policy.h
View File

@@ -112,6 +112,4 @@ void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol
int security_policy_init(struct verify_proxy * verify, const char* profile_path); int security_policy_init(struct verify_proxy * verify, const char* profile_path);
char *web_json_table_add(void *pme);
#endif #endif

4
conf/verify_policy.conf
View File

@@ -11,8 +11,8 @@ thread-nu = 4
[maat] [maat]
# 0:json 1: redis 2: iris # 0:json 1: redis 2: iris
maat_input_mode=1 maat_input_mode=1
table_info=./resource/table_info.conf table_info=./resource/table_info_proxy.conf
table_info_tsg=./resource/tsg_static_tableinfo.conf table_info_tsg=./resource/table_info_security.conf
json_cfg_file=./resource/pangu_http.json json_cfg_file=./resource/pangu_http.json
stat_file=logs/verify-policy.status stat_file=logs/verify-policy.status
full_cfg_dir=verify-policy/ full_cfg_dir=verify-policy/

34
platform/src/verify_policy.cpp
View File

@@ -126,8 +126,6 @@ int protoco_field_type_str2idx(enum tsg_policy_type type, const char *action_str
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN"; table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME"; table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT"; table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM"; table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO"; table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT"; table_name[PXY_SECURITY_MAIL_SUBJECT] = "TSG_FIELD_MAIL_SUBJECT";
@@ -136,7 +134,7 @@ int protoco_field_type_str2idx(enum tsg_policy_type type, const char *action_str
table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT"; table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT";
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI";
table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT";
table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME"; table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT";
break; break;
case PXY_TABLE_DEFENCE: case PXY_TABLE_DEFENCE:
break; break;
@@ -184,6 +182,20 @@ struct ipaddr *ip_to_stream_addr(char *clientIp1, unsigned int clientPort1, char
return ip_addr; return ip_addr;
} }
void ipaddr_free(struct ipaddr *ip_addr)
{
if(ip_addr->addrtype==ADDR_TYPE_IPV4)
{
free(ip_addr->v4);
}
if(ip_addr->addrtype==ADDR_TYPE_IPV6)
{
free(ip_addr->v6);
}
free(ip_addr);
}
cJSON *get_query_from_request(const char *data, int thread_id) cJSON *get_query_from_request(const char *data, int thread_id)
{ {
int i = 0; int i = 0;
@@ -195,7 +207,7 @@ cJSON *get_query_from_request(const char *data, int thread_id)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter"); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter");
return NULL; return NULL;
} }
cJSON *policy_obj=NULL, *data_obj=NULL; cJSON *policy_obj=NULL, *data_obj=NULL, *list_arry = NULL;
policy_obj=cJSON_CreateObject(); policy_obj=cJSON_CreateObject();
cJSON_AddNumberToObject(policy_obj, "code", 200); cJSON_AddNumberToObject(policy_obj, "code", 200);
@@ -205,6 +217,9 @@ cJSON *get_query_from_request(const char *data, int thread_id)
data_obj = cJSON_CreateObject(); data_obj = cJSON_CreateObject();
cJSON_AddItemToObject(policy_obj, "data", data_obj); cJSON_AddItemToObject(policy_obj, "data", data_obj);
list_arry=cJSON_CreateArray();
cJSON_AddItemToObject(data_obj, "list", list_arry);
cJSON* item = NULL, *subitem = NULL, *subchild = NULL; cJSON* item = NULL, *subitem = NULL, *subchild = NULL;
item = cJSON_GetObjectItem(data_json,"verifyList"); item = cJSON_GetObjectItem(data_json,"verifyList");
if(item && item->type==cJSON_Array) if(item && item->type==cJSON_Array)
@@ -240,14 +255,14 @@ cJSON *get_query_from_request(const char *data, int thread_id)
query_list->table_obj[i].subscriberid = item->valuestring; query_list->table_obj[i].subscriberid = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), "subscriberid = %s",query_list->table_obj[i].subscriberid); p += snprintf(p, sizeof(buff) - (p - buff), "subscriberid = %s",query_list->table_obj[i].subscriberid);
} }
http_scan(query_list->table_obj[i].keyword, query_list->type, EV_HTTP_SUBSCRIBE_ID, NULL, data_obj, ctx); http_scan(query_list->table_obj[i].keyword, query_list->type, EV_HTTP_SUBSCRIBE_ID, NULL, list_arry, ctx);
i++; i++;
continue; continue;
} }
if(0 == strcasecmp(query_list->table_obj[i].keyword_scope, "ip")) if(0 == strcasecmp(query_list->table_obj[i].keyword_scope, "ip"))
{ {
int addr_type=0, protocol=0; int addr_type=0, __attribute__((__unused__))protocol=0;
char *clientIp1=NULL,*serverIp1=NULL; char *clientIp1=NULL,*serverIp1=NULL;
unsigned int clientPort1=0,serverPort1=0; unsigned int clientPort1=0,serverPort1=0;
@@ -265,8 +280,9 @@ cJSON *get_query_from_request(const char *data, int thread_id)
if(item && item->type==cJSON_Number) addr_type = item->valueint; if(item && item->type==cJSON_Number) addr_type = item->valueint;
query_list->table_obj[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type); query_list->table_obj[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type);
http_scan(NULL, query_list->type, PXY_CTRL_IP, query_list->table_obj[i].ip_addr, data_obj, ctx); http_scan(NULL, query_list->type, PXY_CTRL_IP, query_list->table_obj[i].ip_addr, list_arry, ctx);
ipaddr_free(query_list->table_obj[i].ip_addr);
i++; i++;
continue; continue;
} }
@@ -279,11 +295,11 @@ cJSON *get_query_from_request(const char *data, int thread_id)
if(item && item->type==cJSON_String) if(item && item->type==cJSON_String)
{ {
query_list->table_obj[i].keyword = item->valuestring; query_list->table_obj[i].keyword = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), " content = %s",query_list->table_obj[i].keyword); p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",query_list->table_obj[i].keyword);
} }
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] %s", buff); mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] %s", buff);
http_scan(query_list->table_obj[i].keyword, query_list->type, query_list->table_obj[i].protocol_field, NULL, data_obj, ctx); http_scan(query_list->table_obj[i].keyword, query_list->type, query_list->table_obj[i].protocol_field, NULL, list_arry, ctx);
i++; i++;
memset(buff, 0, VERIFY_STRING_MAX); memset(buff, 0, VERIFY_STRING_MAX);

17
resource/table_info.conf → resource/table_info_proxy.conf
View File

@@ -30,3 +30,20 @@
11 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS -- 11 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS --
12 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS -- 12 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS --
13 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon 13 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon
#eliminate the alarm
14 TSG_OBJ_ACCOUNT expr UTF8 UTF8 yes 0
16 TSG_FIELD_SSL_SNI virtual TSG_OBJ_FQDN --
17 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN --
18 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN --
19 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN --
20 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
21 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
22 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
23 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
24 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
25 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
26 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
27 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
28 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
29 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --

1
resource/tsg_static_tableinfo.conf → resource/table_info_security.conf
View File

@@ -39,4 +39,3 @@
27 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL -- 27 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
28 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS -- 28 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
29 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT -- 29 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
30 FW_PROFILE_DNS_RECORDS plugin {"key":1,"valid":5} --

155
scan/src/pangu_http.cpp
View File

@@ -37,6 +37,21 @@ enum pangu_action //Bigger action number is prior.
__PG_ACTION_MAX __PG_ACTION_MAX
}; };
enum tfe_http_std_field
{
TFE_HTTP_UNKNOWN_FIELD = 0,
TFE_HTTP_USER_AGENT,
TFE_HTTP_COOKIE,
TFE_HTTP_SET_COOKIE,
TFE_HTTP_CONT_TYPE,
};
struct http_field_name
{
const char * field_name;
enum tfe_http_std_field field_id;
};
struct pangu_http_ctx struct pangu_http_ctx
{ {
enum pangu_action action; enum pangu_action action;
@@ -177,67 +192,17 @@ static enum pangu_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
return prior_action; return prior_action;
} }
char *web_json_table_add(void *pme) void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol_field, struct ipaddr *ip_addr, cJSON *list_arry, void *pme)
{ {
char *policy_payload = NULL; size_t i = 0; int scan_ret = 0;
cJSON *policy_obj=NULL, *data_obj=NULL, *hit_obj=NULL;
cJSON *execute_obj=NULL, *obj_list=NULL, *category_obj=NULL;
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
policy_obj=cJSON_CreateObject();
cJSON_AddNumberToObject(policy_obj, "code", 200);
cJSON_AddStringToObject(policy_obj, "msg", "Success");
cJSON_AddNumberToObject(policy_obj, "success", 1);
data_obj = cJSON_CreateObject();
cJSON_AddItemToObject(policy_obj, "data", data_obj);
/*hitPolicyList **/
hit_obj = cJSON_CreateObject();
cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj);
if (ctx->hit_cnt >= 1)
{
for (i = 0; i < ctx->hit_cnt; i++)
{
cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id);
cJSON_AddStringToObject(hit_obj, "policyName", "");
}
}
/*executePolicyList **/
execute_obj = cJSON_CreateObject();
cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj);
cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id);
cJSON_AddStringToObject(execute_obj, "policyName", "");
/*objectList**/
obj_list = cJSON_CreateObject();
cJSON_AddItemToObject(data_obj, "objectList", obj_list);
cJSON_AddNumberToObject(obj_list, "objectId", 12);
cJSON_AddStringToObject(obj_list, "objectName", "");
cJSON *itemList = cJSON_CreateObject();
cJSON_AddItemToObject(obj_list, "itemList", itemList);
cJSON_AddNumberToObject(itemList, "itemId", 12);
cJSON_AddStringToObject(itemList, "reqParam", "");
/*categoryList**/
category_obj = cJSON_CreateObject();
cJSON_AddItemToObject(data_obj, "categoryList", category_obj);
cJSON_AddNumberToObject(category_obj, "categoryId", 12);
cJSON_AddStringToObject(category_obj, "reqParam", "");
policy_payload = cJSON_PrintUnformatted(policy_obj);
printf("%s\n", policy_payload);
cJSON_Delete(policy_obj);
return policy_payload;
}
void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol_field, struct ipaddr *ip_addr, cJSON *data_obj, void *pme)
{
int scan_ret = 0, table_id = 0;
size_t hit_cnt = 0, i = 0; size_t hit_cnt = 0, i = 0;
struct http_field_name req_fields[]={ {"User-Agent", TFE_HTTP_USER_AGENT},
{"Cookie", TFE_HTTP_COOKIE}};
struct http_field_name resp_fields[]={ {"Set-Cookie", TFE_HTTP_SET_COOKIE},
{"Content-Type", TFE_HTTP_CONT_TYPE}};
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
if (protocol_field == PXY_CTRL_IP) if (protocol_field == PXY_CTRL_IP)
@@ -251,40 +216,26 @@ void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol
goto decide; goto decide;
} }
if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || (protocol_field == PXY_CTRL_HTTP_RES_HDR)) if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || protocol_field == PXY_CTRL_HTTP_RES_HDR)
{ {
table_id = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_RES_HDR]; struct http_field_name *field_name = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? req_fields : resp_fields;
const char * str_field_name = NULL; for(size_t i=0;i<sizeof(req_fields)/sizeof(struct http_field_name);i++)
scan_ret = Maat_set_scan_status(g_pangu_rt->maat[policy_type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
str_field_name, strlen(str_field_name));
assert(scan_ret == 0);
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], table_id,
CHARSET_UTF8, value, strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{ {
hit_cnt += scan_ret; const char * str_field_name = field_name[i].field_name;
scan_ret = Maat_set_scan_status(g_pangu_rt->maat[policy_type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
str_field_name, strlen(str_field_name));
assert(scan_ret == 0);
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][protocol_field],
CHARSET_UTF8, value, strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
} }
goto decide; goto decide;
} }
if ((protocol_field == PXY_CTRL_HTTP_REQ_BODY) || protocol_field == PXY_CTRL_HTTP_RES_BODY)
{
assert(ctx->sp == NULL);
table_id = protocol_field == PXY_CTRL_HTTP_REQ_BODY ? g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat[policy_type], table_id, ctx->thread_id);
scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) value, (int) strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
Maat_stream_scan_string_end(&(ctx->sp));
ctx->sp = NULL;
goto decide;
}
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][protocol_field], scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][protocol_field],
CHARSET_UTF8, value, strlen(value), CHARSET_UTF8, value, strlen(value),
ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt, ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
@@ -298,20 +249,29 @@ decide:
{ {
ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce); ctx->action = decide_ctrl_action(ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
ctx->hit_cnt = hit_cnt; ctx->hit_cnt = hit_cnt;
cJSON *execute_obj=NULL, *hit_obj=NULL; cJSON *execute_obj=NULL, *hit_obj=NULL;
hit_obj = cJSON_CreateObject(); cJSON *item_obj=NULL, *policy_obj=NULL;
cJSON_AddItemToObject(data_obj, "hitPolicyList", hit_obj);
item_obj=cJSON_CreateObject();
cJSON_AddItemToArray(list_arry, item_obj);
hit_obj=cJSON_CreateArray();
cJSON_AddItemToObject(item_obj, "hitPolicyList", hit_obj);
if (ctx->hit_cnt >= 1) if (ctx->hit_cnt >= 1)
{ {
for (i = 0; i < ctx->hit_cnt; i++) for (i = 0; i < ctx->hit_cnt; i++)
{ {
cJSON_AddNumberToObject(hit_obj, "policyId", ctx->result[i].config_id); policy_obj=cJSON_CreateObject();
cJSON_AddNumberToObject(policy_obj, "policyId",ctx->result[i].config_id);
cJSON_AddItemToArray(hit_obj, policy_obj);
} }
} }
/*executePolicyList **/ /*executePolicyList **/
execute_obj = cJSON_CreateObject(); execute_obj=cJSON_CreateArray();
cJSON_AddItemToObject(data_obj, "executePolicyList", execute_obj); cJSON_AddItemToObject(item_obj, "executePolicyList", execute_obj);
cJSON_AddNumberToObject(execute_obj, "policyId", ctx->enforce_rules[0].config_id); policy_obj=cJSON_CreateObject();
cJSON_AddNumberToObject(policy_obj, "policyId", ctx->enforce_rules[0].config_id);
cJSON_AddItemToArray(execute_obj, policy_obj);
} }
return ; return ;
} }
@@ -469,7 +429,6 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
g_pangu_rt->thread_num = verify->nr_work_threads; g_pangu_rt->thread_num = verify->nr_work_threads;
g_pangu_rt->local_logger = verify->logger; g_pangu_rt->local_logger = verify->logger;
#if 1
g_pangu_rt->maat[PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger); g_pangu_rt->maat[PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat[PXY_TABLE_MANIPULATION]) if (!g_pangu_rt->maat[PXY_TABLE_MANIPULATION])
{ {
@@ -488,13 +447,12 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
for (int i = 0; i < __SCAN_TABLE_MAX; i++) for (int i = 0; i < __SCAN_TABLE_MAX; i++)
{ {
g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i]); g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i]);
printf("%p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i], i);
if (g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] < 0) if (g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] < 0)
{ {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Maat table %s register failed.", table_name[i]); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Maat table %s register failed.", table_name[i]);
goto error_out; goto error_out;
} }
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Pangu policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_MANIPULATION], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_MANIPULATION][i]);
} }
g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger); g_pangu_rt->dyn_maat = create_maat_feather("dyn", profile_path, "DYNAMIC_MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
@@ -516,7 +474,6 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat TSG_DYN_SUBSCRIBER_IP EX data register failed."); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat TSG_DYN_SUBSCRIBER_IP EX data register failed.");
goto error_out; goto error_out;
} }
#endif
ret = 0; ret = 0;
error_out: error_out:
return ret; return ret;
@@ -553,17 +510,17 @@ int security_policy_init(struct verify_proxy * verify, const char* profile_path)
table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT"; table_name[PXY_SECURITY_MAIL_ATT_CONTENT] = "TSG_FIELD_MAIL_ATT_CONTENT";
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI";
table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT";
table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_MAIL_ATT_NAME"; table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT";
for (int i = 0; i < __SECURITY_TABLE_MAX; i++) for (int i = 0; i < __SECURITY_TABLE_MAX; i++)
{ {
g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i]); g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i]);
printf("SECURITY: %p table_name %s, table id %d, i = %d\n", g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i], i);
if (g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] < 0) if (g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i] < 0)
{ {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Security policy maat table %s register failed.", table_name[i]); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Security policy maat table %s register failed.", table_name[i]);
goto error_out; goto error_out;
} }
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Security policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_SECURITY], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_SECURITY][i]);
} }
ret = 0; ret = 0;
error_out: error_out: