#!/bin/sh -efu

[ -z "${NAGWAD_DEBUG:-}" ] || set -x

filter="$1"
status="$2"
message="$3"

SKIPLIST_DIR="${0%/*}/eperm-skip.d"

[ "$filter" = 'eperm' ] || exit 0

skip_from() {
    local from="$1"

    [ -s "$from" ] || return 0

    echo "$message" | tr '[:space:]' '\n' | (
        IFS='='
	syscall=; arch=; pid=; ppid=
        while read var val; do
            case "$var" in
		syscall)
                    syscall="$val"
                    ;;
		arch)
                    arch="$val"
                    ;;
		pid)
                    pid="$val"
                    ;;
		ppid)
                    ppid="$val"
                    ;;
            esac
        done

	[ -n "$syscall" -a -n "$pid" -a -n "$ppid" ] || exit 0

	(
	    [ -n "${NAGWAD_DEBUG:-}" ] || exec 2>/dev/null
            ausearch -ts recent -m SYSCALL --syscall "$syscall" --ppid "$ppid" --pid "$pid" --just-one </dev/null
	)
    ) | sed -n -e 's/^type=PATH .* name="\([^"]\+\)".*$/\1/p' | (
        count=0
	skipcount=0
        while read f; do
	    count=$((count + 1))
	    if echo "$f" | grep -q -f "$from"; then
		skipcount=$((skipcount + 1))
	    else
		echo "PATH=$f"
	    fi
        done

        if [ $count -eq 0 ]; then
            exit 0
	elif [ $count -eq $skipcount ]; then
	    exit $NAGWAD_SKIP_EVENT
        fi

        exit 0
    )
}

key="$(echo "$message" | sed -n -e 's/^.*[[:space:]]key="\([^"]\+\)".*$/\1/p')"
skip_from "$SKIPLIST_DIR/$key.regexp"
