Implemented hierarchical policy groups
This commit is contained in:
parent
b1da8368d0
commit
a45a2c9291
|
@ -459,33 +459,45 @@ INSERT INTO versions (
|
|||
/* Groups */
|
||||
|
||||
INSERT INTO groups ( /* 1 */
|
||||
name
|
||||
name, parent
|
||||
) VALUES (
|
||||
'Default Debian i686'
|
||||
'Default Debian i686', 6
|
||||
);
|
||||
|
||||
INSERT INTO groups ( /* 2 */
|
||||
name
|
||||
name, parent
|
||||
) VALUES (
|
||||
'Default Debian x86_64'
|
||||
'Default Debian x86_64', 6
|
||||
);
|
||||
|
||||
INSERT INTO groups ( /* 3 */
|
||||
name
|
||||
name, parent
|
||||
) VALUES (
|
||||
'Default Ubuntu i686'
|
||||
'Default Ubuntu i686', 6
|
||||
);
|
||||
|
||||
INSERT INTO groups ( /* 4 */
|
||||
name
|
||||
name, parent
|
||||
) VALUES (
|
||||
'Default Ubuntu x86_64'
|
||||
'Default Ubuntu x86_64', 6
|
||||
);
|
||||
|
||||
INSERT INTO groups ( /* 5 */
|
||||
name, parent
|
||||
) VALUES (
|
||||
'Default Android', 7
|
||||
);
|
||||
|
||||
INSERT INTO groups ( /* 6 */
|
||||
name, parent
|
||||
) VALUES (
|
||||
'Default Linux', 7
|
||||
);
|
||||
|
||||
INSERT INTO groups ( /* 7 */
|
||||
name
|
||||
) VALUES (
|
||||
'Default Android'
|
||||
'Default'
|
||||
);
|
||||
|
||||
/* Default Product Groups */
|
||||
|
@ -684,31 +696,7 @@ INSERT INTO policies ( /* 13 */
|
|||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
1, 1, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
1, 2, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
1, 3, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
1, 4, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
1, 5, 86400
|
||||
1, 7, 86400
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
|
@ -720,25 +708,7 @@ INSERT INTO enforcements (
|
|||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
3, 1, 0
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
3, 2, 0
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
3, 3, 0
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
3, 4, 0
|
||||
3, 6, 0
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
|
@ -762,61 +732,13 @@ INSERT INTO enforcements (
|
|||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
8, 1, 60
|
||||
8, 7, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
8, 2, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
8, 3, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
8, 4, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
8, 5, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
9, 1, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
9, 2, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
9, 3, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
9, 4, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
9, 5, 60
|
||||
9, 7, 60
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
|
|
|
@ -50,7 +50,7 @@ static void stderr_dbg(debug_t group, level_t level, char *fmt, ...)
|
|||
bool policy_start(database_t *db, int session_id)
|
||||
{
|
||||
enumerator_t *e;
|
||||
int id, gid, device_id, product_id, group_id = 0;
|
||||
int id, gid, device_id, product_id, group_id = 0, parent;
|
||||
int type, file, dir, arg_int, rec_fail, rec_noresult;
|
||||
char *argument;
|
||||
|
||||
|
@ -98,57 +98,71 @@ bool policy_start(database_t *db, int session_id)
|
|||
}
|
||||
}
|
||||
|
||||
/* if still no group membership found, leave */
|
||||
if (!group_id)
|
||||
/* get iteratively enforcements for given group */
|
||||
while (group_id)
|
||||
{
|
||||
fprintf(stderr, "no group membership found\n");
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/* get enforcements for given group */
|
||||
e = db->query(db,
|
||||
"SELECT e.id, "
|
||||
"p.type, p.argument, p.file, p.dir, p.rec_fail, p.rec_noresult "
|
||||
"FROM enforcements AS e JOIN policies as p ON e.policy = p.id "
|
||||
"WHERE e.group_id = ?", DB_INT, group_id,
|
||||
DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT);
|
||||
if (!e)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
while (e->enumerate(e, &id, &type, &argument, &file, &dir, &rec_fail,
|
||||
&rec_noresult))
|
||||
{
|
||||
/* determine arg_int */
|
||||
switch ((imv_workitem_type_t)type)
|
||||
e = db->query(db,
|
||||
"SELECT e.id, "
|
||||
"p.type, p.argument, p.file, p.dir, p.rec_fail, p.rec_noresult "
|
||||
"FROM enforcements AS e JOIN policies as p ON e.policy = p.id "
|
||||
"WHERE e.group_id = ?", DB_INT, group_id,
|
||||
DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT);
|
||||
if (!e)
|
||||
{
|
||||
case IMV_WORKITEM_FILE_REF_MEAS:
|
||||
case IMV_WORKITEM_FILE_MEAS:
|
||||
case IMV_WORKITEM_FILE_META:
|
||||
arg_int = file;
|
||||
break;
|
||||
case IMV_WORKITEM_DIR_REF_MEAS:
|
||||
case IMV_WORKITEM_DIR_MEAS:
|
||||
case IMV_WORKITEM_DIR_META:
|
||||
arg_int = dir;
|
||||
break;
|
||||
default:
|
||||
arg_int = 0;
|
||||
return FALSE;
|
||||
}
|
||||
while (e->enumerate(e, &id, &type, &argument, &file, &dir,
|
||||
&rec_fail, &rec_noresult))
|
||||
{
|
||||
/* determine arg_int */
|
||||
switch ((imv_workitem_type_t)type)
|
||||
{
|
||||
case IMV_WORKITEM_FILE_REF_MEAS:
|
||||
case IMV_WORKITEM_FILE_MEAS:
|
||||
case IMV_WORKITEM_FILE_META:
|
||||
arg_int = file;
|
||||
break;
|
||||
case IMV_WORKITEM_DIR_REF_MEAS:
|
||||
case IMV_WORKITEM_DIR_MEAS:
|
||||
case IMV_WORKITEM_DIR_META:
|
||||
arg_int = dir;
|
||||
break;
|
||||
default:
|
||||
arg_int = 0;
|
||||
}
|
||||
|
||||
/* insert a workitem */
|
||||
if (db->execute(db, NULL,
|
||||
/* insert a workitem */
|
||||
if (db->execute(db, NULL,
|
||||
"INSERT INTO workitems (session, enforcement, type, arg_str, "
|
||||
"arg_int, rec_fail, rec_noresult) VALUES (?, ?, ?, ?, ?, ?, ?)",
|
||||
DB_INT, session_id, DB_INT, id, DB_INT, type, DB_TEXT, argument,
|
||||
DB_INT, arg_int, DB_INT, rec_fail, DB_INT, rec_noresult) != 1)
|
||||
{
|
||||
e->destroy(e);
|
||||
fprintf(stderr, "could not insert workitem\n");
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
e->destroy(e);
|
||||
|
||||
e = db->query(db,
|
||||
"SELECT parent FROM groups WHERE id = ?",
|
||||
DB_INT, group_id, DB_INT);
|
||||
if (!e)
|
||||
{
|
||||
e->destroy(e);
|
||||
fprintf(stderr, "could not insert workitem\n");
|
||||
return FALSE;
|
||||
}
|
||||
if (e->enumerate(e, &parent))
|
||||
{
|
||||
group_id = parent;
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(stderr, "group information not found\n");
|
||||
group_id = 0;
|
||||
}
|
||||
e->destroy(e);
|
||||
}
|
||||
e->destroy(e);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
|
|
@ -50,7 +50,8 @@ CREATE TABLE file_hashes (
|
|||
DROP TABLE IF EXISTS groups;
|
||||
CREATE TABLE groups (
|
||||
id integer NOT NULL PRIMARY KEY,
|
||||
name varchar(50) NOT NULL UNIQUE
|
||||
name varchar(50) NOT NULL UNIQUE,
|
||||
parent integer
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS group_members;
|
||||
|
|
Loading…
Reference in New Issue