|
size_t i; |
|
for (i = 0; i < BSLP_SecOperPtrList_size(secops); i++) |
|
{ |
|
BSL_SecOper_t **comp = BSLP_SecOperPtrList_get(secops, i); |
|
BSL_LOG_DEBUG("NEW SECOP (tgt=%d)(bib?=%d)(secblk=%d)", BSL_SecOper_GetTargetBlockNum(sec_oper), |
|
BSL_SecOper_IsBIB(sec_oper), BSL_SecOper_GetSecurityBlockNum(sec_oper)); |
|
BSL_LOG_DEBUG("comp SECOP (tgt=%d)(bib?=%d)(secblk=%d)", BSL_SecOper_GetTargetBlockNum(*comp), |
|
BSL_SecOper_IsBIB(*comp), BSL_SecOper_GetSecurityBlockNum(*comp)); |
|
if (BSL_SecOper_GetTargetBlockNum(*comp) == BSL_SecOper_GetTargetBlockNum(sec_oper)) |
|
{ |
|
// Both BIBs or BCBs |
|
if (!(BSL_SecOper_IsBIB(sec_oper) ^ BSL_SecOper_IsBIB(*comp))) |
|
{ |
|
BSL_SecOper_SetConclusion(sec_oper, BSL_SECOP_CONCLUSION_INVALID); |
|
} |
|
// SOURCE BIB or ACCEPT BCB should come first |
|
// true if ACC BIB or SRC BCB |
|
if (BSL_SecOper_IsBIB(sec_oper) ^ BSL_SecOper_IsRoleSource(sec_oper)) |
|
{ |
|
BSL_LOG_DEBUG("NEW OP AFTER COMP"); |
|
BSLP_SecOperPtrList_push_at(secops, i + 1, sec_oper); |
|
} |
|
else |
|
{ |
|
BSL_LOG_DEBUG("NEW OP BEFORE COMP"); |
|
BSLP_SecOperPtrList_push_at(secops, i, sec_oper); |
|
} |
|
break; |
|
} |
|
|
|
// security operation in list targets security operation |
|
if (BSL_SecOper_GetTargetBlockNum(*comp) == BSL_SecOper_GetSecurityBlockNum(sec_oper)) |
|
{ |
|
BSLP_SecOperPtrList_push_at(secops, i, sec_oper); |
|
break; |
|
} |
|
|
|
// new security operation targets security operation in list |
|
if (BSL_SecOper_GetTargetBlockNum(sec_oper) == BSL_SecOper_GetSecurityBlockNum(*comp)) |
|
{ |
|
BSLP_SecOperPtrList_push_at(secops, i + 1, sec_oper); |
|
break; |
|
} |
|
|
|
// same security block number, order by target |
|
if (BSL_SecOper_GetSecurityBlockNum(sec_oper) == BSL_SecOper_GetSecurityBlockNum(*comp)) |
|
{ |
|
if (BSL_SecOper_GetTargetBlockNum(*comp) - BSL_SecOper_GetTargetBlockNum(sec_oper)) |
|
{ |
|
BSLP_SecOperPtrList_push_at(secops, i, sec_oper); |
|
} |
|
else |
|
{ |
|
BSLP_SecOperPtrList_push_at(secops, i + 1, sec_oper); |
|
} |
|
break; |
|
} |
|
} |
|
|
|
if (i >= BSLP_SecOperPtrList_size(secops)) |
|
{ |
|
BSL_LOG_INFO("append to end"); |
|
BSLP_SecOperPtrList_push_back(secops, sec_oper); |
|
} |
|
BSL_LOG_INFO("Created sec operation for rule `%s`", string_get_cstr(rule->description)); |
|
} |
|
pthread_mutex_unlock(&self->mutex); |
|
|
|
BSL_PrimaryBlock_deinit(&primary_block); |
|
|
|
// TODO replace a lot of copying with moving |
|
for (size_t i = 0; i < BSLP_SecOperPtrList_size(secops); i++) |
|
{ |
|
BSL_SecOper_t **secop = BSLP_SecOperPtrList_get(secops, i); |
|
BSL_SecurityAction_AppendSecOper(action, *secop); |
|
BSL_free(*secop); |
|
} |
|
BSLP_SecOperPtrList_clear(secops); |
Could be an optimization, some options:
Expose API in
SecurityAction.htoset_atto avoid this list. BUT: it would be by-copy instead of by-move, The M-Array doesn't provide API forpush_move_at- can onlypush_movewithout specifying location andset_atas pass-by-copy.Creating a function in
SecurityAction.hto "sort" the SecOp list using a PP-defined comparator, and using the m-lib's_special_sortAPI. This way, the actual ordering is still PP-specifiedBSL/src/policy_provider/SamplePolicyProvider.c
Lines 220 to 297 in 046549e