diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/inc_internal/maat_object.h | 2 | ||||
| -rw-r--r-- | src/inc_internal/maat_rule.h | 4 | ||||
| -rw-r--r-- | src/maat_api.c | 4 | ||||
| -rw-r--r-- | src/maat_expr.c | 4 | ||||
| -rw-r--r-- | src/maat_flag.c | 2 | ||||
| -rw-r--r-- | src/maat_interval.c | 2 | ||||
| -rw-r--r-- | src/maat_ip.c | 2 | ||||
| -rw-r--r-- | src/maat_object.c | 144 | ||||
| -rw-r--r-- | src/maat_rule.c | 70 |
9 files changed, 155 insertions, 79 deletions
diff --git a/src/inc_internal/maat_object.h b/src/inc_internal/maat_object.h index bef043e..d4d079e 100644 --- a/src/inc_internal/maat_object.h +++ b/src/inc_internal/maat_object.h @@ -43,7 +43,7 @@ int object_group_runtime_commit(void *object_group_runtime, const char *table_na size_t object_group_runtime_get_super_objects(void *object_group_runtime, uuid_t *object_uuids, size_t n_object_uuids, uuid_t *super_object_uuids, - size_t super_object_uuids_size); + size_t super_object_uuids_size, int thread_id); long long object_group_runtime_rule_count(void *object_group_runtime); diff --git a/src/inc_internal/maat_rule.h b/src/inc_internal/maat_rule.h index 7b9d0ef..42739bf 100644 --- a/src/inc_internal/maat_rule.h +++ b/src/inc_internal/maat_rule.h @@ -68,7 +68,7 @@ void rule_compile_state_reset(struct rule_compile_state *rule_compile_state); void rule_compile_state_free(struct rule_compile_state *rule_compile_state, struct maat *maat_instance, int thread_id); -int rule_compile_state_update(struct rule_compile_state *rule_compile_state, struct maat *maat_inst, +int rule_compile_state_update(struct maat_state *maat_state, struct maat *maat_inst, const char *attribute_name, int custom_rule_tbl_id, int Nth_scan, struct maat_item *hit_items, size_t n_hit_item); @@ -79,7 +79,7 @@ void rule_compile_state_not_logic_update(struct rule_compile_state *rule_compile struct maat *maat_inst, const char *attribute_name, int Nth_scan); -size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule_compile_state, +size_t rule_compile_state_get_internal_hit_paths(struct maat_state *maat_state, struct rule_runtime *rule_rt, struct object_group_runtime *object_group_rt, struct maat_hit_path *hit_path_array, diff --git a/src/maat_api.c b/src/maat_api.c index 5819102..34283db 100644 --- a/src/maat_api.c +++ b/src/maat_api.c @@ -1617,7 +1617,7 @@ static void maat_state_add_hit_object(struct maat_state *state, const char *attr uuid_copy(hit_items[i].object_uuid, objects[i].object_uuid); } - rule_compile_state_update(state->rule_compile_state, maat_inst, attribute_name, + rule_compile_state_update(state, maat_inst, attribute_name, state->rule_table_id, state->Nth_scan, hit_items, n_hit_item); } @@ -2037,7 +2037,7 @@ int maat_state_get_hit_paths(struct maat_state *state, struct maat_hit_path *pat void *object_group_runtime = table_manager_get_runtime(maat_inst->tbl_mgr, object_group_table_id); size_t hit_path_cnt = - rule_compile_state_get_internal_hit_paths(state->rule_compile_state, + rule_compile_state_get_internal_hit_paths(state, (struct rule_runtime *)rule_rt, (struct object_group_runtime *)object_group_runtime, path_array, array_size); diff --git a/src/maat_expr.c b/src/maat_expr.c index 1b06e42..64794bf 100644 --- a/src/maat_expr.c +++ b/src/maat_expr.c @@ -877,7 +877,7 @@ next: state->thread_id, 1); } - return rule_compile_state_update(state->rule_compile_state, state->maat_inst, attribute_name, + return rule_compile_state_update(state, state->maat_inst, attribute_name, state->rule_table_id, state->Nth_scan, hit_maat_items, real_hit_item_num); } @@ -970,7 +970,7 @@ next: state->thread_id, 1); } - return rule_compile_state_update(state->rule_compile_state, state->maat_inst, attribute_name, + return rule_compile_state_update(state, state->maat_inst, attribute_name, state->rule_table_id, state->Nth_scan, hit_maat_items, real_hit_item_cnt); } diff --git a/src/maat_flag.c b/src/maat_flag.c index 1cebe12..cbdc8a8 100644 --- a/src/maat_flag.c +++ b/src/maat_flag.c @@ -458,7 +458,7 @@ next: state->thread_id, 1); } - return rule_compile_state_update(state->rule_compile_state, state->maat_inst, attribute_name, + return rule_compile_state_update(state, state->maat_inst, attribute_name, state->rule_table_id, state->Nth_scan, hit_maat_items, real_hit_item_cnt); } diff --git a/src/maat_interval.c b/src/maat_interval.c index be03149..c9f671c 100644 --- a/src/maat_interval.c +++ b/src/maat_interval.c @@ -466,7 +466,7 @@ next: state->thread_id, 1); } - return rule_compile_state_update(state->rule_compile_state, state->maat_inst, attribute_name, + return rule_compile_state_update(state, state->maat_inst, attribute_name, state->rule_table_id, state->Nth_scan, hit_maat_items, real_hit_item_cnt); } diff --git a/src/maat_ip.c b/src/maat_ip.c index 04d6759..d61243d 100644 --- a/src/maat_ip.c +++ b/src/maat_ip.c @@ -553,7 +553,7 @@ next: state->thread_id, 1); } - return rule_compile_state_update(state->rule_compile_state, state->maat_inst, attribute_name, + return rule_compile_state_update(state, state->maat_inst, attribute_name, state->rule_table_id, state->Nth_scan, hit_maat_items, real_hit_item_cnt); } diff --git a/src/maat_object.c b/src/maat_object.c index f57558d..6712730 100644 --- a/src/maat_object.c +++ b/src/maat_object.c @@ -65,6 +65,14 @@ struct object_group_runtime { long long update_err_cnt; int updating_flag; + size_t max_thread_num; + UT_array **all_hit_group_ids; + UT_array **candidate_group_ids; + UT_array **candidate_super_group_ids; + UT_array **kept_super_group_ids; + UT_array **verify_candidate_group_ids; + + struct maat_garbage_bin *ref_garbage_bin; struct log_handle *logger; }; @@ -245,6 +253,23 @@ void *object_group_runtime_new(void *object_group_schema, size_t max_thread_num, object_group_rt->ref_garbage_bin = garbage_bin; object_group_rt->logger = logger; + object_group_rt->max_thread_num = max_thread_num; + object_group_rt->all_hit_group_ids = ALLOC(UT_array *, max_thread_num); + object_group_rt->candidate_group_ids = ALLOC(UT_array *, max_thread_num); + object_group_rt->kept_super_group_ids = ALLOC(UT_array *, max_thread_num); + object_group_rt->candidate_super_group_ids = ALLOC(UT_array *, max_thread_num); + object_group_rt->verify_candidate_group_ids = ALLOC(UT_array *, max_thread_num); + + for (int i = 0; i < max_thread_num; i++) { + utarray_new(object_group_rt->all_hit_group_ids[i], &ut_object_uuid_icd); + utarray_new(object_group_rt->candidate_group_ids[i], &ut_object_uuid_icd); + utarray_new(object_group_rt->kept_super_group_ids[i], &ut_object_uuid_icd); + utarray_new(object_group_rt->candidate_super_group_ids[i], &ut_object_uuid_icd); + utarray_new(object_group_rt->verify_candidate_group_ids[i], &ut_object_uuid_icd); + } + + + return object_group_rt; } @@ -266,6 +291,66 @@ void object_group_runtime_free(void *object_group_runtime) object_group_rt->updating_object_topo = NULL; } + if (object_group_rt->all_hit_group_ids != NULL) { + for (int i = 0; i < object_group_rt->max_thread_num; i++) { + if (object_group_rt->all_hit_group_ids[i] != NULL) { + utarray_free(object_group_rt->all_hit_group_ids[i]); + object_group_rt->all_hit_group_ids[i] = NULL; + } + } + FREE(object_group_rt->all_hit_group_ids); + object_group_rt->all_hit_group_ids = NULL; + + } + + if (object_group_rt->candidate_group_ids != NULL) { + for (int i = 0; i < object_group_rt->max_thread_num; i++) { + if (object_group_rt->candidate_group_ids[i] != NULL) { + utarray_free(object_group_rt->candidate_group_ids[i]); + object_group_rt->candidate_group_ids[i] = NULL; + } + } + FREE(object_group_rt->candidate_group_ids); + object_group_rt->candidate_group_ids = NULL; + + } + + if (object_group_rt->kept_super_group_ids != NULL) { + for (int i = 0; i < object_group_rt->max_thread_num; i++) { + if (object_group_rt->kept_super_group_ids[i] != NULL) { + utarray_free(object_group_rt->kept_super_group_ids[i]); + object_group_rt->kept_super_group_ids[i] = NULL; + } + } + FREE(object_group_rt->kept_super_group_ids); + object_group_rt->kept_super_group_ids = NULL; + + } + + if (object_group_rt->candidate_super_group_ids != NULL) { + for (int i = 0; i < object_group_rt->max_thread_num; i++) { + if (object_group_rt->candidate_super_group_ids[i] != NULL) { + utarray_free(object_group_rt->candidate_super_group_ids[i]); + object_group_rt->candidate_super_group_ids[i] = NULL; + } + } + FREE(object_group_rt->candidate_super_group_ids); + object_group_rt->candidate_super_group_ids = NULL; + + } + + if (object_group_rt->verify_candidate_group_ids != NULL) { + for (int i = 0; i < object_group_rt->max_thread_num; i++) { + if (object_group_rt->verify_candidate_group_ids[i] != NULL) { + utarray_free(object_group_rt->verify_candidate_group_ids[i]); + object_group_rt->verify_candidate_group_ids[i] = NULL; + } + } + FREE(object_group_rt->verify_candidate_group_ids); + object_group_rt->verify_candidate_group_ids = NULL; + } + + FREE(object_group_rt); } @@ -959,15 +1044,14 @@ static void verify_object_by_sub_exclude_objects(struct maat_object *object, } } -static void verify_candidate_super_object_ids(struct maat_object_topology *object_topo, +static void verify_candidate_super_object_ids(struct object_group_runtime *object_group_rt, UT_array *candidate_super_object_uuids, UT_array *all_hit_object_uuids, - UT_array *kept_super_object_uuids) + UT_array *kept_super_object_uuids, int thread_id) { uuid_t *p = NULL; - UT_array *candidate_object_uuids; - - utarray_new(candidate_object_uuids, &ut_object_uuid_icd); + UT_array *candidate_object_uuids = object_group_rt->verify_candidate_group_ids[thread_id]; + struct maat_object_topology *object_topo = object_group_rt->object_topo; /* merge this round of candidate super objects with hit objects from the previous round */ for (p = (uuid_t *)utarray_front(candidate_super_object_uuids); p != NULL; @@ -1049,15 +1133,18 @@ static void verify_candidate_super_object_ids(struct maat_object_topology *objec kept_super_object_uuids, all_hit_object_uuids); } - utarray_free(candidate_object_uuids); + utarray_clear(candidate_object_uuids); } -static void get_super_object_ids(struct maat_object_topology *object_topo, +static void get_super_object_ids(struct object_group_runtime *object_group_rt, UT_array *hit_object_uuids, UT_array *all_hit_object_uuids, - size_t depth) + size_t depth, int thread_id) { - UT_array *candidate_super_object_uuids; - UT_array *kept_super_object_uuids; + UT_array *candidate_super_object_uuids = object_group_rt->candidate_super_group_ids[thread_id]; + UT_array *kept_super_object_uuids = object_group_rt->kept_super_group_ids[thread_id]; + struct maat_object_topology *object_topo = object_group_rt->object_topo; + + utarray_clear(candidate_super_object_uuids); if (depth >= MAX_RECURSION_DEPTH) { log_error(object_topo->logger, MODULE_OBJECT, @@ -1072,10 +1159,7 @@ static void get_super_object_ids(struct maat_object_topology *object_topo, __FUNCTION__, __LINE__, uuid_str); } return; - } - - utarray_new(kept_super_object_uuids, &ut_object_uuid_icd); - utarray_new(candidate_super_object_uuids, &ut_object_uuid_icd); + } /** candidate super objects means all hit objects' super include object, @@ -1090,7 +1174,7 @@ static void get_super_object_ids(struct maat_object_topology *object_topo, get_candidate_super_object_ids(object_topo, hit_object_uuids, candidate_super_object_uuids); if (0 == utarray_len(candidate_super_object_uuids)) { - goto next; + return; } /** @@ -1117,24 +1201,22 @@ static void get_super_object_ids(struct maat_object_topology *object_topo, after verify candidates, kept super objects = {g7, g8}, all hit objects = {g4, g11, g7, g8} */ - verify_candidate_super_object_ids(object_topo, candidate_super_object_uuids, all_hit_object_uuids, - kept_super_object_uuids); + utarray_clear(kept_super_object_uuids);//kept_super_object_ids is used as the hit_object_ids parameter when invoke get_super_object_ids recursively, so can't clear it at the beginning + verify_candidate_super_object_ids(object_group_rt, candidate_super_object_uuids, all_hit_object_uuids, + kept_super_object_uuids, thread_id); depth++; - get_super_object_ids(object_topo, kept_super_object_uuids, all_hit_object_uuids, depth); -next: - utarray_free(candidate_super_object_uuids); - utarray_free(kept_super_object_uuids); + get_super_object_ids(object_group_rt, kept_super_object_uuids, all_hit_object_uuids, depth, thread_id); } -static size_t object_topology_get_super_objects(struct maat_object_topology *object_topo, +static size_t object_topology_get_super_objects(struct object_group_runtime *object_group_rt, uuid_t *object_uuids, size_t n_object_uuids, uuid_t *super_object_uuids, - size_t super_object_uuids_size) + size_t super_object_uuids_size, int thread_id) { size_t i = 0, idx = 0; - UT_array *all_hit_object_uuids; - UT_array *candidate_object_uuids; + UT_array *all_hit_object_uuids = object_group_rt->all_hit_group_ids[thread_id]; + UT_array *candidate_object_uuids = object_group_rt->candidate_group_ids[thread_id]; utarray_new(all_hit_object_uuids, &ut_object_uuid_icd); utarray_new(candidate_object_uuids, &ut_object_uuid_icd); @@ -1144,7 +1226,7 @@ static size_t object_topology_get_super_objects(struct maat_object_topology *obj utarray_push_back(candidate_object_uuids, &(object_uuids[i])); } - get_super_object_ids(object_topo, candidate_object_uuids, all_hit_object_uuids, 0); + get_super_object_ids(object_group_rt, candidate_object_uuids, all_hit_object_uuids, 0, thread_id); for (i = 0; i < n_object_uuids; i++) { uuid_t *tmp_id = utarray_find(all_hit_object_uuids, &(object_uuids[i]), @@ -1164,15 +1246,15 @@ static size_t object_topology_get_super_objects(struct maat_object_topology *obj uuid_copy(super_object_uuids[idx++], *p); } - utarray_free(all_hit_object_uuids); - utarray_free(candidate_object_uuids); + utarray_clear(all_hit_object_uuids); + utarray_clear(candidate_object_uuids); return idx; } size_t object_group_runtime_get_super_objects(void *object_group_runtime, uuid_t *object_uuids, size_t n_object_uuids, uuid_t *super_object_uuids, - size_t super_object_uuids_size) + size_t super_object_uuids_size, int thread_id) { if (NULL == object_group_runtime || NULL == object_uuids || 0 == n_object_uuids) { return 0; @@ -1195,8 +1277,8 @@ size_t object_group_runtime_get_super_objects(void *object_group_runtime, uuid_t return 0; } - return object_topology_get_super_objects(object_group_rt->object_topo, object_group_object_uuids, object_group_object_uuids_cnt, - super_object_uuids, super_object_uuids_size); + return object_topology_get_super_objects(object_group_rt, object_group_object_uuids, object_group_object_uuids_cnt, + super_object_uuids, super_object_uuids_size, thread_id); } long long object_group_runtime_rule_count(void *object_group_runtime) diff --git a/src/maat_rule.c b/src/maat_rule.c index 4f55125..d2dce18 100644 --- a/src/maat_rule.c +++ b/src/maat_rule.c @@ -1382,12 +1382,34 @@ rule_compile_state_cache_hit_not_objects(struct rule_compile_state *rule_compile return; } - if (n_hit_object_uuid != 0) { - qsort(hit_object_uuids, n_hit_object_uuid, sizeof(uuid_t), compare_object_uuid); - } - struct negate_attribute_object *negate_attr_obj = NULL; HASH_FIND_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj); + + if (negate_attr_obj == NULL || utarray_len(negate_attr_obj->object_uuids) == 0) { + struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL; + HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) { + if (strncmp(condition_id_kv->key.attribute_name, attribute_name, strlen(attribute_name)) != 0) { + continue; + } + + if (NULL == negate_attr_obj) { + negate_attr_obj = ALLOC(struct negate_attribute_object, 1); + snprintf(negate_attr_obj->attribute_name, sizeof(negate_attr_obj->attribute_name), "%s", attribute_name); + utarray_new(negate_attr_obj->object_uuids, &ut_rule_object_uuid_icd); + HASH_ADD_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj); + } + + if (!utarray_find(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid), + compare_object_uuid)) { + utarray_push_back(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid)); + } + } + + if (negate_attr_obj != NULL) { + utarray_sort(negate_attr_obj->object_uuids, compare_object_uuid); + } + } + if (negate_attr_obj != NULL) { for (size_t i = 0; i < n_hit_object_uuid; i++) { uuid_t *object_uuid = (uuid_t *)utarray_find(negate_attr_obj->object_uuids, @@ -1400,36 +1422,6 @@ rule_compile_state_cache_hit_not_objects(struct rule_compile_state *rule_compile utarray_erase(negate_attr_obj->object_uuids, remove_idx, 1); } } - - struct condition_id_kv *condition_id_kv = NULL, *tmp_condition_id_kv = NULL; - HASH_ITER(hh, rule_rt->not_condition_id_kv_hash, condition_id_kv, tmp_condition_id_kv) { - if (strncmp(condition_id_kv->key.attribute_name, attribute_name, strlen(attribute_name)) != 0) { - continue; - } - - uuid_t *tmp_object_uuid = - bsearch(&(condition_id_kv->key.object_uuid), hit_object_uuids, - n_hit_object_uuid, sizeof(uuid_t), compare_object_uuid); - if (tmp_object_uuid != NULL) { - continue; - } - - if (NULL == negate_attr_obj) { - negate_attr_obj = ALLOC(struct negate_attribute_object, 1); - snprintf(negate_attr_obj->attribute_name, sizeof(negate_attr_obj->attribute_name), "%s", attribute_name); - utarray_new(negate_attr_obj->object_uuids, &ut_rule_object_uuid_icd); - HASH_ADD_STR(rule_compile_state->hit_negate_attribute_objects, attribute_name, negate_attr_obj); - } - - if (!utarray_find(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid), - compare_object_uuid)) { - utarray_push_back(negate_attr_obj->object_uuids, &(condition_id_kv->key.object_uuid)); - } - } - - if (negate_attr_obj != NULL) { - utarray_sort(negate_attr_obj->object_uuids, compare_object_uuid); - } } int rule_compile_state_get_rule_table_id(struct rule_compile_state *rule_compile_state, @@ -1745,7 +1737,7 @@ int rule_runtime_match(struct rule_runtime *rule_rt, uuid_t *rule_uuids, return MIN(bool_match_ret, rule_ids_size); } -int rule_compile_state_update(struct rule_compile_state *rule_compile_state, struct maat *maat_inst, +int rule_compile_state_update(struct maat_state *maat_state, struct maat *maat_inst, const char *attribute_name, int custom_rule_tbl_id, int Nth_scan, struct maat_item *hit_items, size_t n_hit_item) { @@ -1753,6 +1745,7 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str size_t hit_cnt = n_hit_item; uuid_t hit_object_uuids[MAX_HIT_OBJECT_NUM]; struct maat_hit_object hit_object; + struct rule_compile_state *rule_compile_state = maat_state->rule_compile_state; utarray_clear(rule_compile_state->this_scan_hit_conditions); rule_compile_state->this_scan_not_logic = 0; @@ -1773,7 +1766,7 @@ int rule_compile_state_update(struct rule_compile_state *rule_compile_state, str uuid_t super_object_uuids[MAX_HIT_OBJECT_NUM]; size_t super_object_cnt = object_group_runtime_get_super_objects(object_group_rt, hit_object_uuids, hit_cnt, super_object_uuids, - MAX_HIT_OBJECT_NUM); + MAX_HIT_OBJECT_NUM, maat_state->thread_id); for (i = 0; i < super_object_cnt; i++) { uuid_clear(hit_object.item_uuid); uuid_copy(hit_object.object_uuid, super_object_uuids[i]); @@ -1942,7 +1935,7 @@ size_t rule_compile_state_get_direct_hit_object_cnt(struct rule_compile_state *r return utarray_len(rule_compile_state->direct_hit_objects); } -size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule_compile_state, +size_t rule_compile_state_get_internal_hit_paths(struct maat_state *maat_state, struct rule_runtime *rule_rt, struct object_group_runtime *object_group_rt, struct maat_hit_path *hit_path_array, @@ -1950,6 +1943,7 @@ size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule { size_t hit_path_cnt = 0; struct internal_hit_path *internal_path = NULL; + struct rule_compile_state *rule_compile_state = maat_state->rule_compile_state; for (int i = 0; i < utarray_len(rule_compile_state->internal_hit_paths); i++) { internal_path = @@ -1963,7 +1957,7 @@ size_t rule_compile_state_get_internal_hit_paths(struct rule_compile_state *rule size_t super_object_cnt = object_group_runtime_get_super_objects(object_group_rt, &(internal_path->object_uuid), 1, - super_object_uuids, MAX_HIT_OBJECT_NUM); + super_object_uuids, MAX_HIT_OBJECT_NUM, maat_state->thread_id); for (size_t idx = 0; idx < super_object_cnt; idx++) { utarray_push_back(valid_super_object_uuids, &super_object_uuids[idx]); } |