waf lock utility integration with Modsec (microsoft#35)

change permission, alignment issue, revet to original api

revert owner back, will remove later

change to snake style

Author: azhao155

apache2/apache2_config.c

@@ -19,6 +19,7 @@
 
 #ifdef WAF_JSON_LOGGING_ENABLE
 #include "waf_log_util_external.h"
+#include "waf_lock_external.h"
 #include "string.h"
 #endif
 
@@ -289,24 +290,24 @@ static void get_ruleset_type_version(char* waf_ruleset_info, char* waf_ruleset_t
     }
 }
 
-static int write_file_with_lock(apr_global_mutex_t* lock, apr_file_t* fd, char* str) {
+static int write_file_with_lock(struct waf_lock* lock, apr_file_t* fd, char* str) {
     int rc;
     apr_size_t nbytes, nbytes_written;
 
     if (lock == NULL || fd == NULL || str == NULL) {
         return WAF_LOG_UTIL_FAILED;
     }
 
-    rc = apr_global_mutex_lock(lock);
-    if (rc != APR_SUCCESS) {
+    rc = waf_get_exclusive_lock(lock);
+    if (waf_lock_is_error(rc)) {
         return WAF_LOG_UTIL_FAILED;
     }
 
     nbytes = strlen(str);
     apr_file_write_full(fd, str, nbytes, &nbytes_written);
 
-    rc = apr_global_mutex_unlock(lock);
-    if (rc != APR_SUCCESS) {
+    rc = waf_free_exclusive_lock(lock);
+    if (waf_lock_is_error(rc)) {
         return WAF_LOG_UTIL_FAILED;
     }
 
@@ -316,7 +317,7 @@ static int write_file_with_lock(apr_global_mutex_t* lock, apr_file_t* fd, char*
 /**
  * send all waf fields in json format to a file.
  */
-static void send_waf_log(apr_global_mutex_t* lock, apr_file_t* fd, const char* str1, const char* ip_port, const char* uri, int mode, const char* hostname, request_rec *r) {
+static void send_waf_log(struct waf_lock* lock, apr_file_t* fd, const char* str1, const char* ip_port, const char* uri, int mode, const char* hostname, request_rec *r) {
     int rc = 0;
     char* json_str;
     char waf_filename[1024] = "";

apache2/apache2_util.c

@@ -135,13 +135,47 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) {
     return msce;
 }
 
+static void set_lock_args(struct waf_lock_args *lock_args, int lock_id) {
+    if (lock_args == NULL) {
+        return;
+    }
+
+#ifdef _WIN32
+    switch(lock_id) {
+        case AUDITLOG_LOCK_ID:
+            lock_args->lock_name = AUDITLOG_LOCK_NAME;
+            lock_args->lock_name_length = strlen(AUDITLOG_LOCK_NAME);
+            break;
+        case WAFJSONLOG_LOCK_ID:
+            lock_args->lock_name = WAFJSONLOG_LOCK_NAME;
+            lock_args->lock_name_length = strlen(WAFJSONLOG_LOCK_NAME);
+            break;
+        case GEO_LOCK_ID:
+            lock_args->lock_name = GEO_LOCK_NAME;
+            lock_args->lock_name_length = strlen(GEO_LOCK_NAME);
+            break;
+        case DBM_LOCK_ID:
+            lock_args->lock_name = DBM_LOCK_NAME;
+            lock_args->lock_name_length = strlen(DBM_LOCK_NAME);
+            break;
+        default:
+            break;
+    }
+
+#else
+    lock_args->lock_id = lock_id;
+#endif
+}
+
 /**
  * Initialise the modsecurity engine. This function must be invoked
  * after configuration processing is complete as Apache needs to know the
  * username it is running as.
  */
 int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
     apr_status_t rc;
+    struct waf_lock_args *lock_args;
+    char *lock_name;
 
     /**
      * Notice that curl is initialized here but never cleaned up. First version
@@ -153,85 +187,51 @@ int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
 #ifdef WITH_CURL
     curl_global_init(CURL_GLOBAL_ALL);
 #endif
+    lock_args = apr_pcalloc(mp, sizeof(struct waf_lock_args));
+
     /* Serial audit log mutext */
-    rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
-    if (rc != APR_SUCCESS) {
+    set_lock_args(lock_args, AUDITLOG_LOCK_ID);
+
+    msce->auditlog_lock = apr_pcalloc(mp, sizeof(struct waf_lock));
+    rc = waf_create_lock(msce->auditlog_lock, lock_args);    
+    if (waf_lock_is_error(rc)) {
         //ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "mod_security: Could not create modsec_auditlog_lock");
         //return HTTP_INTERNAL_SERVER_ERROR;
         return -1;
     }
 
 #ifdef WAF_JSON_LOGGING_ENABLE
     /* Serial wafjson log mutext */
-    rc = apr_global_mutex_create(&msce->wafjsonlog_lock, NULL, APR_LOCK_DEFAULT, mp);
-    if (rc != APR_SUCCESS) {
+    set_lock_args(lock_args, WAFJSONLOG_LOCK_ID);
+
+    msce->wafjsonlog_lock = apr_pcalloc(mp, sizeof(struct waf_lock));
+    rc = waf_create_lock(msce->wafjsonlog_lock, lock_args);    
+    if (waf_lock_is_error(rc)) {
         //ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, "mod_security: Could not create modsec_wafjsonlog_lock");
         //return HTTP_INTERNAL_SERVER_ERROR;
         return -1;
     }
 #endif
 
-#if !defined(MSC_TEST)
-#ifdef __SET_MUTEX_PERMS
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-    rc = ap_unixd_set_global_mutex_perms(msce->auditlog_lock);
-#else
-    rc = unixd_set_global_mutex_perms(msce->auditlog_lock);
-#endif
-    if (rc != APR_SUCCESS) {
-        // ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, "mod_security: Could not set permissions on modsec_auditlog_lock; check User and Group directives");
-        // return HTTP_INTERNAL_SERVER_ERROR;
-        return -1;
-    }
-#endif /* SET_MUTEX_PERMS */
-
-#ifdef WAF_JSON_LOGGING_ENABLE
-#ifdef __SET_MUTEX_PERMS
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-    rc = ap_unixd_set_global_mutex_perms(msce->wafjsonlog_lock);
-#else
-    rc = unixd_set_global_mutex_perms(msce->wafjsonlog_lock);
-#endif
-    if (rc != APR_SUCCESS) {
-        // ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, "mod_security: Could not set permissions on modsec_wafjsonlog_lock; check User and Group directives");
-        // return HTTP_INTERNAL_SERVER_ERROR;
-        return -1;
-    }
-#endif /* SET_MUTEX_PERMS */
-#endif
+// Have removed all the lock permission related code since we implment in different way now
 
-    rc = apr_global_mutex_create(&msce->geo_lock, NULL, APR_LOCK_DEFAULT, mp);
-    if (rc != APR_SUCCESS) {
-        return -1;
-    }
+#if !defined(MSC_TEST)
+    set_lock_args(lock_args, GEO_LOCK_ID);
 
-#ifdef __SET_MUTEX_PERMS
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-    rc = ap_unixd_set_global_mutex_perms(msce->geo_lock);
-#else
-    rc = unixd_set_global_mutex_perms(msce->geo_lock);
-#endif
-    if (rc != APR_SUCCESS) {
+    msce->geo_lock = apr_pcalloc(mp, sizeof(struct waf_lock));
+    rc = waf_create_lock(msce->geo_lock, lock_args);    
+    if (waf_lock_is_error(rc)) {
         return -1;
     }
-#endif /* SET_MUTEX_PERMS */
 
 #ifdef GLOBAL_COLLECTION_LOCK
-    rc = apr_global_mutex_create(&msce->dbm_lock, NULL, APR_LOCK_DEFAULT, mp);
-    if (rc != APR_SUCCESS) {
-        return -1;
-    }
+    set_lock_args(lock_args, DBM_LOCK_ID);
 
-#ifdef __SET_MUTEX_PERMS
-#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
-    rc = ap_unixd_set_global_mutex_perms(msce->dbm_lock);
-#else
-    rc = unixd_set_global_mutex_perms(msce->dbm_lock);
-#endif
-    if (rc != APR_SUCCESS) {
+    msce->dbm_lock = apr_pcalloc(mp, sizeof(struct waf_lock));
+    rc = waf_create_lock(msce->dbm_lock, lock_args);    
+    if (waf_lock_is_error(rc)) {
         return -1;
     }
-#endif /* SET_MUTEX_PERMS */
 #endif
 #endif
 
@@ -242,39 +242,47 @@ int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
  * Performs per-child (new process) initialisation.
  */
 void modsecurity_child_init(msc_engine *msce) {
+    struct waf_lock_args *lock_args;
+    char *lock_name;
+
     /* Need to call this once per process before any other XML calls. */
     xmlInitParser();
+    lock_args = apr_pcalloc(msce->mp, sizeof(struct waf_lock_args));
 
-    if (msce->auditlog_lock != NULL) {
-        apr_status_t rc = apr_global_mutex_child_init(&msce->auditlog_lock, NULL, msce->mp);
-        if (rc != APR_SUCCESS) {
-            // ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, "Failed to child-init auditlog mutex");
-        }
+    if (msce->auditlog_lock == NULL) {
+        msce->auditlog_lock = apr_pcalloc(msce->mp, sizeof(struct waf_lock));
     }
 
+    set_lock_args(lock_args, AUDITLOG_LOCK_ID);
+
+    waf_create_lock(msce->auditlog_lock, lock_args);    
+
 #ifdef WAF_JSON_LOGGING_ENABLE
-    if (msce->wafjsonlog_lock != NULL) {
-        apr_status_t rc = apr_global_mutex_child_init(&msce->wafjsonlog_lock, NULL, msce->mp);
-        if (rc != APR_SUCCESS) {
-            // ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, "Failed to child-init auditlog mutex");
-        }
+    if (msce->wafjsonlog_lock == NULL) {
+        msce->wafjsonlog_lock = apr_pcalloc(msce->mp, sizeof(struct waf_lock));
     }
+
+    set_lock_args(lock_args, WAFJSONLOG_LOCK_ID);
+
+    waf_create_lock(msce->wafjsonlog_lock, lock_args);    
 #endif
 
-    if (msce->geo_lock != NULL) {
-        apr_status_t rc = apr_global_mutex_child_init(&msce->geo_lock, NULL, msce->mp);
-        if (rc != APR_SUCCESS) {
-            // ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, "Failed to child-init geo mutex");
-        }
+    if (msce->geo_lock == NULL) {
+        msce->geo_lock = apr_pcalloc(msce->mp, sizeof(struct waf_lock));
     }
 
+    set_lock_args(lock_args, GEO_LOCK_ID);
+
+    waf_create_lock(msce->geo_lock, lock_args);    
+
 #ifdef GLOBAL_COLLECTION_LOCK
-    if (msce->dbm_lock != NULL) {
-        apr_status_t rc = apr_global_mutex_child_init(&msce->dbm_lock, NULL, msce->mp);
-        if (rc != APR_SUCCESS) {
-            // ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, "Failed to child-init dbm mutex");
-        }
+    if (msce->dbm_lock == NULL) {
+        msce->dbm_lock = apr_pcalloc(msce->mp, sizeof(struct waf_lock));
     }
+
+    set_lock_args(lock_args, DBM_LOCK_ID);
+
+    waf_create_lock(msce->dbm_lock, lock_args);    
 #endif
 
 }

apache2/mod_security2.c

@@ -56,6 +56,7 @@ typedef struct msc_parm msc_parm;
 #include "http_config.h"
 #include "http_log.h"
 #include "http_protocol.h"
+#include "waf_lock_external.h"
 
 #if defined(WITH_LUA)
 #include "msc_lua.h"
@@ -173,6 +174,16 @@ extern DSOLOCAL char *msc_waf_instanceId;
 extern DSOLOCAL char *msc_waf_lock_owner;
 #endif
 
+#define AUDITLOG_LOCK_ID                1
+#define WAFJSONLOG_LOCK_ID              2
+#define GEO_LOCK_ID                     3
+#define DBM_LOCK_ID                     4
+
+#define AUDITLOG_LOCK_NAME              "Global\\auditlog_lock"
+#define WAFJSONLOG_LOCK_NAME            "Global\\wafjsonlog_lock"
+#define GEO_LOCK_NAME                   "Global\\geo_lock"
+#define DBM_LOCK_NAME                   "Global\\dbm_lock"
+
 #define RESBODY_STATUS_NOT_READ         0   /* we were not configured to read the body */
 #define RESBODY_STATUS_ERROR            1   /* error occured while we were reading the body */
 #define RESBODY_STATUS_PARTIAL          2   /* partial body content available in the brigade */
@@ -674,13 +685,13 @@ struct error_message_t {
 
 struct msc_engine {
     apr_pool_t              *mp;
-    apr_global_mutex_t      *auditlog_lock;
+    struct waf_lock         *auditlog_lock;
 #ifdef WAF_JSON_LOGGING_ENABLE
-    apr_global_mutex_t      *wafjsonlog_lock;
+    struct waf_lock         *wafjsonlog_lock;
 #endif
-    apr_global_mutex_t      *geo_lock;
+    struct waf_lock         *geo_lock;
 #ifdef GLOBAL_COLLECTION_LOCK
-    apr_global_mutex_t      *dbm_lock;
+    struct waf_lock         *dbm_lock;
 #endif
     msre_engine             *msre;
     unsigned int             processing_mode;

apache2/modsecurity.c

@@ -13,6 +13,7 @@
 */
 
 #include "msc_geo.h"
+#include "waf_lock_external.h"
 
 
 /* -- Lookup Tables -- */
@@ -315,8 +316,8 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
         msr_log(msr, 9, "GEO: Using address \"%s\" (0x%08lx). %lu", targetip, ipnum, ipnum);
     }
 
-    ret = apr_global_mutex_lock(msr->modsecurity->geo_lock);
-    if (ret != APR_SUCCESS) {
+    ret = waf_get_exclusive_lock(msr->modsecurity->geo_lock);
+    if (waf_lock_is_error(ret)) {
         msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
                 get_apr_error(msr->mp, ret));
     }
@@ -352,8 +353,8 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
         *error_msg = apr_psprintf(msr->mp, "No geo data for \"%s\").", log_escape(msr->mp, target));
         msr_log(msr, 4, "%s", *error_msg);
 
-        ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
-        if (ret != APR_SUCCESS) {
+        ret = waf_free_exclusive_lock(msr->modsecurity->geo_lock);
+        if (waf_lock_is_error(ret)) {
             msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
                     get_apr_error(msr->mp, ret));
         }
@@ -368,8 +369,8 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
             *error_msg = apr_psprintf(msr->mp, "No geo data for \"%s\" (country %d).", log_escape(msr->mp, target), country);
             msr_log(msr, 4, "%s", *error_msg);
 
-            ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
-            if (ret != APR_SUCCESS) {
+            ret = waf_free_exclusive_lock(msr->modsecurity->geo_lock);
+            if (waf_lock_is_error(ret)) {
                 msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
                         get_apr_error(msr->mp, ret));
             }
@@ -399,8 +400,8 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
             *error_msg = apr_psprintf(msr->mp, "No geo data for \"%s\" (country %d).", log_escape(msr->mp, target), country);
             msr_log(msr, 4, "%s", *error_msg);
 
-            ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
-            if (ret != APR_SUCCESS) {
+            ret = waf_free_exclusive_lock(msr->modsecurity->geo_lock);
+            if (waf_lock_is_error(ret)) {
                 msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
                         get_apr_error(msr->mp, ret));
             }
@@ -494,8 +495,8 @@ int geo_lookup(modsec_rec *msr, geo_rec *georec, const char *target, char **erro
 
     *error_msg = apr_psprintf(msr->mp, "Geo lookup for \"%s\" succeeded.", log_escape(msr->mp, target));
 
-    ret = apr_global_mutex_unlock(msr->modsecurity->geo_lock);
-    if (ret != APR_SUCCESS) {
+    ret = waf_free_exclusive_lock(msr->modsecurity->geo_lock);
+    if (waf_lock_is_error(ret)) {
         msr_log(msr, 1, "Geo Lookup: Failed to lock proc mutex: %s",
                 get_apr_error(msr->mp, ret));
     }