summaryrefslogtreecommitdiff
path: root/common/src/intercept_policy.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'common/src/intercept_policy.cpp')
-rw-r--r--common/src/intercept_policy.cpp56
1 files changed, 56 insertions, 0 deletions
diff --git a/common/src/intercept_policy.cpp b/common/src/intercept_policy.cpp
index a90e780..68888e5 100644
--- a/common/src/intercept_policy.cpp
+++ b/common/src/intercept_policy.cpp
@@ -246,6 +246,62 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer
// return 0 : success
// return -1 : error (need passthrough)
+int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t *rule_id_array, int rule_id_num, uint64_t *selected_rule_id)
+{
+ uint64_t rule_id = 0;
+ uint8_t is_hit_intercept_rule = 0;
+ uint8_t is_hit_no_intercept_rule = 0;
+ uint64_t max_intercept_rule_id = 0;
+ uint64_t max_no_intercept_rule_id = 0;
+
+ char buff[16] = {0};
+ struct intercept_param *param = NULL;
+
+ for (int i = 0; i < rule_id_num; i++)
+ {
+ rule_id = rule_id_array[i];
+ snprintf(buff, sizeof(buff), "%lu", rule_id);
+ param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, buff, strlen(buff));
+ if (param == NULL)
+ {
+ TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id);
+ continue;
+ }
+
+ // intercept
+ if (param->action == 2)
+ {
+ is_hit_intercept_rule = 1;
+ max_intercept_rule_id = MAX(max_intercept_rule_id, rule_id);
+ TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is intercept.", i, rule_id_num, rule_id);
+ }
+ // not intercept
+ else
+ {
+ is_hit_no_intercept_rule = 1;
+ max_no_intercept_rule_id = MAX(max_no_intercept_rule_id, rule_id);
+ TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is no intercept.", i, rule_id_num, rule_id);
+ }
+ }
+
+ if (is_hit_no_intercept_rule)
+ {
+ *selected_rule_id = max_no_intercept_rule_id;
+ return 0;
+ }
+
+ if (is_hit_intercept_rule)
+ {
+ *selected_rule_id = max_intercept_rule_id;
+ return 0;
+ }
+
+ // no policy get, passthrough
+ return -1;
+}
+
+// return 0 : success
+// return -1 : error (need passthrough)
int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg)
{
int ret = 0;
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 17:49:17 +0000