#!/bin/sh -efu

filter="$1"
status="$2"
message="$3"

SKIPLIST_DIR="${0%/*}/eperm-skip.d"

[ "$filter" = 'eperm' ] || exit 0

skip_from() {
    local from="$1"

    echo "$message" | tr '[:space:]' '\n' | (
        IFS='='
	syscall=; arch=; pid=; ppid=
        while read var val; do
            case "$var" in
		syscall)
                    syscall="$val"
                    ;;
		arch)
                    arch="$val"
                    ;;
		pid)
                    pid="$val"
                    ;;
		ppid)
                    ppid="$val"
                    ;;
            esac
        done

	[ -n "$syscall" -a -n "$pid" -a -n "$ppid" ] || exit 0

        ausearch -ts recent -m SYSCALL --syscall "$syscall" --ppid "$ppid" --pid "$pid" --just-one </dev/null 2>/dev/null
    ) | sed -n -e 's/^type=PATH .* name="\([^"]\+\)".*$/\1/p' | (
	if [ -s "$from" ]; then
	    grep -v -f "$from"
	else
	    cat
	fi
    ) | (
            count=0
            while read f; do
                echo "PATH=$f"
                count=$((count + 1))
            done

            if [ $count -eq 0 ]; then
                exit $NAGWAD_SKIP_EVENT
            fi

            exit 0
    )
}

key="$(echo "$message" | sed -n -e 's/^.*[[:space:]]key="\([^"]\+\)".*$/\1/p')"
skip_from "$SKIPLIST_DIR/$key.regexp"
