Fixed merging actionsets so we can build a more accurate rule for auditing.

2025-08-14 13:56:01 +03:00 · 2008-01-22 05:39:33 +00:00 · 2008-01-22 05:39:33 +00:00 · c4e1ede358
commit c4e1ede358
parent 0d24a08f33
4 changed files with 200 additions and 77 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -552,7 +552,7 @@ static const char *add_rule(cmd_parms *cmd, directory_config *dcfg, int type,
                cmd->directive->line_num, p1, p2, &my_error_msg);
            break;
        default :
-            rule = msre_rule_create(dcfg->ruleset, cmd->directive->filename,
+            rule = msre_rule_create(dcfg->ruleset, type, cmd->directive->filename,
                cmd->directive->line_num, p1, p2, p3, &my_error_msg);
            break;
    }
@ -721,7 +721,7 @@ static const char *add_marker(cmd_parms *cmd, directory_config *dcfg, const char
    }

    /* Create the rule now. */
-    rule = msre_rule_create(dcfg->ruleset, cmd->directive->filename, cmd->directive->line_num, p1, p2, p3, &my_error_msg);
+    rule = msre_rule_create(dcfg->ruleset, RULE_TYPE_MARKER, cmd->directive->filename, cmd->directive->line_num, p1, p2, p3, &my_error_msg);
    if (rule == NULL) {
        return my_error_msg;
    }
@ -797,21 +797,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,

    #ifdef DEBUG_CONF
    {
-        const apr_array_header_t *tarr = apr_table_elts(rule->actionset->actions);
-        const apr_table_entry_t *telts = (const apr_table_entry_t*)tarr->elts;
-        char *actions = NULL;
-        int i;
-        for (i = 0; i < tarr->nelts; i++) {
-            msre_action *action = (msre_action *)telts[i].val;
-            actions = apr_pstrcat(ruleset->mp,
-                (actions == NULL) ? "" : actions,
-                (actions == NULL) ? "" : ",",
-                action->metadata->name,
-                (action->param == NULL) ? "" : ":'",
-                (action->param == NULL) ? "" : action->param,
-                (action->param == NULL) ? "" : "'",
-                NULL);
-        }
+        char *actions = msre_actionset_generate_action_string(ruleset->mp, rule->actionset);
        ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
            "Updating rule %pp id=\"%s\" action: \"%s\"",
            rule,
@ -826,25 +812,12 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
        new_actionset, 1);
    msre_actionset_set_defaults(rule->actionset);

-    /* ENH: Change the unparsed string, but may be impossible. */
+    /* Update the unparsed rule */
+    rule->unparsed = msre_rule_generate_unparsed(ruleset->mp, rule, NULL, NULL, NULL);

    #ifdef DEBUG_CONF
    {
-        const apr_array_header_t *tarr = apr_table_elts(rule->actionset->actions);
-        const apr_table_entry_t *telts = (const apr_table_entry_t*)tarr->elts;
-        char *actions = NULL;
-        int i;
-        for (i = 0; i < tarr->nelts; i++) {
-            msre_action *action = (msre_action *)telts[i].val;
-            actions = apr_pstrcat(ruleset->mp,
-                (actions == NULL) ? "" : actions,
-                (actions == NULL) ? "" : ",",
-                action->metadata->name,
-                (action->param == NULL) ? "" : ":'",
-                (action->param == NULL) ? "" : action->param,
-                (action->param == NULL) ? "" : "'",
-                NULL);
-        }
+        char *actions = msre_actionset_generate_action_string(ruleset->mp, rule->actionset);
        ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_NOERRNO, 0, cmd->pool,
            "Updated rule %pp id=\"%s\" action: \"%s\"",
            rule,
@ -859,7 +832,7 @@ static const char *update_rule_action(cmd_parms *cmd, directory_config *dcfg,
 /* -- Configuration directives -- */

 static const char *cmd_action(cmd_parms *cmd, void *_dcfg, const char *p1) {
-    return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_NORMAL, SECACTION_TARGETS, SECACTION_ARGS, p1);
+    return add_rule(cmd, (directory_config *)_dcfg, RULE_TYPE_ACTION, SECACTION_TARGETS, SECACTION_ARGS, p1);
 }

 static const char *cmd_marker(cmd_parms *cmd, void *_dcfg, const char *p1) {
--- a/apache2/re.c
+++ b/apache2/re.c
@ -28,6 +28,65 @@ static const char *const severities[] = {

 /* -- Actions, variables, functions and operator functions ----------------- */

+/**
+ * Remove actions with the same cardinality group from the actionset.
+ */
+static void msre_actionset_cardinality_fixup(msre_actionset *actionset, msre_action *action) {
+    const apr_array_header_t *tarr = apr_table_elts(actionset->actions);
+    const apr_table_entry_t *telts = (const apr_table_entry_t*)tarr->elts;
+    int i;
+
+    if ((actionset == NULL) || (action == NULL)) return;
+
+    for (i = 0; i < tarr->nelts; i++) {
+        msre_action *target = (msre_action *)telts[i].val;
+        if (target->metadata->cardinality_group == action->metadata->cardinality_group) {
+
+            apr_table_unset(actionset->actions, target->metadata->name);
+        }
+    }
+}
+
+/**
+ * Generate an action string from an actionset.
+ */
+char *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset)
+{
+    const apr_array_header_t *tarr = apr_table_elts(actionset->actions);
+    const apr_table_entry_t *telts = (const apr_table_entry_t*)tarr->elts;
+    char *actions = NULL;
+    int i;
+
+    for (i = 0; i < tarr->nelts; i++) {
+        msre_action *action = (msre_action *)telts[i].val;
+        int use_quotes = 0;
+
+        /* Check if we need any quotes */
+        if (action->param != NULL) {
+            int j;
+            for(j = 0; action->param[j] != '\0'; j++) {
+                if (isspace(action->param[j])) {
+                    use_quotes = 1;
+                    break;
+                }
+            }        
+            if (j == 0) use_quotes = 1;
+        }
+
+        actions = apr_pstrcat(pool,
+            (actions == NULL) ? "" : actions,
+            (actions == NULL) ? "" : ",",
+            action->metadata->name,
+            (action->param == NULL) ? "" : ":",
+            (use_quotes) ? "'" : "",
+            (action->param == NULL) ? "" : action->param,
+            (use_quotes) ? "'" : "",
+            NULL);
+    }
+
+    return actions;
+}
+
 /**
 * Creates msre_var instances (rule variables) out of the 
 * given text string and places them into the supplied table.
@ -100,6 +159,10 @@ apr_status_t msre_parse_actions(msre_engine *engine, msre_actionset *actionset,
            action->metadata->init(engine, actionset, action);
        }

+        if (action->metadata->cardinality_group != ACTION_CGROUP_NONE) {
+            msre_actionset_cardinality_fixup(actionset, action);
+        }
+
        if (action->metadata->cardinality == ACTION_CARDINALITY_ONE) {
            /* One action per actionlist. */
            apr_table_setn(actionset->actions, action->metadata->name, (void *)action);
@ -536,6 +599,11 @@ msre_actionset *msre_actionset_merge(msre_engine *engine, msre_actionset *parent
    telts = (const apr_table_entry_t*)tarr->elts;
    for (i = 0; i < tarr->nelts; i++) {
        msre_action *action = (msre_action *)telts[i].val;
+
+        if (action->metadata->cardinality_group != ACTION_CGROUP_NONE) {
+            msre_actionset_cardinality_fixup(merged, action);
+        }
+
        if (action->metadata->cardinality == ACTION_CARDINALITY_ONE) {
            apr_table_setn(merged->actions, action->metadata->name, (void *)action);
        } else {
@ -1248,11 +1316,63 @@ char *msre_format_metadata(modsec_rec *msr, msre_actionset *actionset) {
    return apr_pstrcat(msr->mp, fn, id, rev, msg, logdata, severity, tags, NULL);
 }

+char * msre_rule_generate_unparsed(apr_pool_t *pool,  const msre_rule *rule, const char *targets,
+    const char *args, const char *actions)
+{
+    char *unparsed = NULL;
+    const char *r_targets = targets;
+    const char *r_args = args;
+    const char *r_actions = actions;
+
+    if (r_targets == NULL) {
+        r_targets = rule->p1;
+    }
+    if (r_args == NULL) {
+        r_args = apr_pstrcat(pool, (rule->op_negated ? "!" : ""), "@", rule->op_name, " ", rule->op_param, NULL);
+    }
+    if (r_actions == NULL) {
+        r_actions = msre_actionset_generate_action_string(pool, rule->actionset);
+    }
+
+    switch (rule->type) {
+    case RULE_TYPE_NORMAL:
+        if (r_actions == NULL) {
+            unparsed = apr_psprintf(pool, "SecRule \"%s\" \"%s\"",
+                           log_escape(pool, r_targets), log_escape(pool, r_args));
+        }
+        else {
+            unparsed = apr_psprintf(pool, "SecRule \"%s\" \"%s\" \"%s\"",
+                           log_escape(pool, r_targets), log_escape(pool, r_args),
+                           log_escape(pool, r_actions));
+        }
+        break;
+    case RULE_TYPE_ACTION:
+        unparsed = apr_psprintf(pool, "SecAction \"%s\"",
+                       log_escape(pool, r_actions));
+        break;
+    case RULE_TYPE_MARKER:
+        unparsed = apr_psprintf(pool, "SecMarker \"%s\"", rule->actionset->id);
+        break;
+    case RULE_TYPE_LUA:
+        /* SecRuleScript */
+        if (r_actions == NULL) {
+            unparsed = apr_psprintf(pool, "SecRuleScript \"%s\"", r_args);
+        }
+        else {
+            unparsed = apr_psprintf(pool, "SecRuleScript \"%s\" \"%s\"",
+                           r_args, log_escape(pool, r_actions));
+        }
+        break;
+    }
+
+    return unparsed;
+}
+
 /**
 * Assembles a new rule using the strings that contain a list
 * of targets (variables), arguments, and actions.
 */
-msre_rule *msre_rule_create(msre_ruleset *ruleset,
+msre_rule *msre_rule_create(msre_ruleset *ruleset, int type,
    const char *fn, int line, const char *targets,
    const char *args, const char *actions, char **error_msg)
 {
@ -1266,36 +1386,14 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset,

    rule = (msre_rule *)apr_pcalloc(ruleset->mp, sizeof(msre_rule));
    if (rule == NULL) return NULL;
+
+    rule->type = type;
    rule->ruleset = ruleset;
    rule->targets = apr_array_make(ruleset->mp, 10, sizeof(const msre_var *));
    rule->p1 = apr_pstrdup(ruleset->mp, targets);
    rule->filename = apr_pstrdup(ruleset->mp, fn);
    rule->line_num = line;

-    /* Add the unparsed rule */
-    if ((strcmp(SECACTION_TARGETS, targets) == 0) && (strcmp(SECACTION_ARGS, args) == 0)) {
-        rule->unparsed = apr_psprintf(ruleset->mp, "SecAction \"%s\"",
-            log_escape(ruleset->mp, actions));
-    }
-    else
-        if ((strcmp(SECMARKER_TARGETS, targets) == 0)
-            && (strcmp(SECMARKER_ARGS, args) == 0)
-            && (strncmp(SECMARKER_BASE_ACTIONS, actions, strlen(SECMARKER_BASE_ACTIONS)) == 0))
-        {
-            rule->unparsed = apr_psprintf(ruleset->mp, "SecMarker \"%s\"",
-                log_escape(ruleset->mp, actions + strlen(SECMARKER_BASE_ACTIONS)));
-    }
-    else {
-        if (actions == NULL) {
-            rule->unparsed = apr_psprintf(ruleset->mp, "SecRule \"%s\" \"%s\"",
-                log_escape(ruleset->mp, targets), log_escape(ruleset->mp, args));
-        } else {
-            rule->unparsed = apr_psprintf(ruleset->mp, "SecRule \"%s\" \"%s\" \"%s\"",
-                log_escape(ruleset->mp, targets), log_escape(ruleset->mp, args),
-                log_escape(ruleset->mp, actions));
-        }
-    }
-
    /* Parse targets */
    rc = msre_parse_targets(ruleset, targets, rule->targets, &my_error_msg);
    if (rc < 0) {
@ -1353,6 +1451,9 @@ msre_rule *msre_rule_create(msre_ruleset *ruleset,
        }
    }

+    /* Add the unparsed rule */
+    rule->unparsed = msre_rule_generate_unparsed(ruleset->mp, rule, targets, args, NULL);
+
    return rule;
 }

@ -1371,20 +1472,12 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset,

    rule = (msre_rule *)apr_pcalloc(ruleset->mp, sizeof(msre_rule));
    if (rule == NULL) return NULL;
+
+    rule->type = RULE_TYPE_LUA;
    rule->ruleset = ruleset;
    rule->filename = apr_pstrdup(ruleset->mp, fn);
    rule->line_num = line;

-    rule->type = RULE_TYPE_LUA;
-
-    if (actions == NULL) {
-        rule->unparsed = apr_psprintf(ruleset->mp, "SecRuleScript \"%s\"",
-            script_filename);
-    } else {
-        rule->unparsed = apr_psprintf(ruleset->mp, "SecRuleScript \"%s\" \"%s\"",
-            script_filename, log_escape(ruleset->mp, actions));
-    }
-
    /* Compile script. */
    *error_msg = lua_compile(&rule->script, script_filename, ruleset->mp);
    if (*error_msg != NULL) {
@ -1401,6 +1494,9 @@ msre_rule *msre_rule_lua_create(msre_ruleset *ruleset,
        }
    }

+    /* Add the unparsed rule */
+    rule->unparsed = msre_rule_generate_unparsed(ruleset->mp, rule, NULL, script_filename, NULL);
+
    return rule;
 }

--- a/apache2/re.h
+++ b/apache2/re.h
@ -122,9 +122,10 @@ int DSOLOCAL msre_ruleset_phase_rule_remove_with_exception(msre_ruleset *ruleset
 #define RULE_PH_SKIPAFTER       1  /* Implicit placeholder for skipAfter */
 #define RULE_PH_MARKER          2  /* Explicit placeholder for SecMarker */

-#define RULE_TYPE_NORMAL        0
-#define RULE_TYPE_ACTION        1
-#define RULE_TYPE_LUA           2
+#define RULE_TYPE_NORMAL        0  /* SecRule */
+#define RULE_TYPE_ACTION        1  /* SecAction */
+#define RULE_TYPE_MARKER        2  /* SecMarker */
+#define RULE_TYPE_LUA           3  /* SecRuleScript */

 struct msre_rule {
    apr_array_header_t      *targets;
@ -153,7 +154,9 @@ struct msre_rule {
    msc_script              *script;
 };

-msre_rule DSOLOCAL *msre_rule_create(msre_ruleset *ruleset,
+char DSOLOCAL *msre_rule_generate_unparsed(apr_pool_t *pool, const msre_rule *rule, const char *targets, const char *args, const char *actions);
+
+msre_rule DSOLOCAL *msre_rule_create(msre_ruleset *ruleset, int type,
    const char *fn, int line, const char *targets,
    const char *args, const char *actions, char **error_msg);

@ -274,6 +277,8 @@ struct msre_actionset {
    int                      auditlog;
 };

+char DSOLOCAL *msre_actionset_generate_action_string(apr_pool_t *pool, const msre_actionset *actionset);
+
 void DSOLOCAL msre_engine_variable_register(msre_engine *engine, const char *name, 
    unsigned int type, unsigned int argc_min, unsigned int argc_max,
    fn_var_validate_t validate, fn_var_generate_t generate,
@ -306,6 +311,11 @@ typedef apr_status_t (*fn_action_execute_t)(modsec_rec *msr, apr_pool_t *mptmp,
 #define ACTION_CARDINALITY_ONE  1
 #define ACTION_CARDINALITY_MANY 2

+#define ACTION_CGROUP_NONE       0
+#define ACTION_CGROUP_DISRUPTIVE 1
+#define ACTION_CGROUP_LOG        2
+#define ACTION_CGROUP_AUDITLOG   3
+
 struct msre_action_metadata {
    const char              *name;
    unsigned int             type;
@ -313,6 +323,7 @@ struct msre_action_metadata {
    unsigned int             argc_max;
    unsigned int             allow_param_plusminus;
    unsigned int             cardinality;
+    unsigned int             cardinality_group;
    fn_action_validate_t     validate;
    fn_action_init_t         init;
    fn_action_execute_t      execute;
--- a/apache2/re_actions.c
+++ b/apache2/re_actions.c
@ -14,10 +14,11 @@
 /**
 * Register action with the engine.
 */
-static void msre_engine_action_register(msre_engine *engine, const char *name, unsigned int type,
-    unsigned int argc_min, unsigned int argc_max, unsigned int allow_param_plusminus,
-    unsigned int cardinality, fn_action_validate_t validate, fn_action_init_t init,
-    fn_action_execute_t execute)
+static void msre_engine_action_register(msre_engine *engine, const char *name,
+    unsigned int type, unsigned int argc_min, unsigned int argc_max,
+    unsigned int allow_param_plusminus, unsigned int cardinality,
+    unsigned int cardinality_group, fn_action_validate_t validate,
+    fn_action_init_t init, fn_action_execute_t execute)
 {
    msre_action_metadata *metadata = (msre_action_metadata *)apr_pcalloc(engine->mp,
        sizeof(msre_action_metadata));
@ -29,6 +30,7 @@ static void msre_engine_action_register(msre_engine *engine, const char *name, u
    metadata->argc_max = argc_max;
    metadata->allow_param_plusminus = allow_param_plusminus;
    metadata->cardinality = cardinality;
+    metadata->cardinality_group = cardinality_group;
    metadata->validate = validate;
    metadata->init = init;
    metadata->execute = execute;
@ -1619,6 +1621,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        msre_action_id_init,
        NULL
@ -1631,6 +1634,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        msre_action_rev_init,
        NULL
@ -1643,6 +1647,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        msre_action_msg_init,
        NULL
@ -1655,6 +1660,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        msre_action_logdata_init,
        NULL
@ -1667,6 +1673,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        msre_action_severity_init,
        NULL
@ -1679,6 +1686,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        msre_action_chain_init,
        NULL
@ -1691,6 +1699,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_LOG,
        NULL,
        msre_action_log_init,
        NULL
@ -1703,6 +1712,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_LOG,
        NULL,
        msre_action_nolog_init,
        NULL
@ -1715,6 +1725,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_AUDITLOG,
        NULL,
        msre_action_auditlog_init,
        NULL
@ -1727,6 +1738,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_AUDITLOG,
        NULL,
        msre_action_noauditlog_init,
        NULL
@ -1739,6 +1751,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        NULL,
        msre_action_deny_init,
        NULL
@ -1751,6 +1764,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        msre_action_status_validate,
        msre_action_status_init,
        NULL
@ -1763,6 +1777,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        NULL,
        msre_action_drop_init,
        NULL
@ -1775,6 +1790,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        msre_action_pause_validate,
        msre_action_pause_init,
        NULL
@ -1787,6 +1803,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        msre_action_redirect_validate,
        msre_action_redirect_init,
        msre_action_redirect_execute
@ -1799,6 +1816,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        msre_action_proxy_validate,
        msre_action_proxy_init,
        msre_action_proxy_execute
@ -1811,6 +1829,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        NULL,
        msre_action_pass_init,
        NULL
@ -1823,6 +1842,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        msre_action_skip_validate,
        msre_action_skip_init,
        NULL
@ -1835,6 +1855,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        msre_action_skipAfter_validate,
        msre_action_skipAfter_init,
        NULL
@ -1847,6 +1868,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_DISRUPTIVE,
        msre_action_allow_validate,
        msre_action_allow_init,
        NULL
@ -1859,6 +1881,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        msre_action_phase_validate,
        msre_action_phase_init,
        NULL
@ -1871,6 +1894,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        ALLOW_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        msre_action_t_validate,
        msre_action_t_init,
        NULL
@ -1883,6 +1907,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        msre_action_ctl_validate,
        msre_action_ctl_init,
        msre_action_ctl_execute
@ -1895,6 +1920,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        msre_action_xmlns_validate,
        NULL,
        NULL
@ -1907,6 +1933,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        NULL
@ -1919,6 +1946,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_sanitiseArg_execute
@ -1931,6 +1959,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_sanitiseMatched_execute
@ -1943,6 +1972,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_sanitiseRequestHeader_execute
@ -1955,6 +1985,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_sanitiseResponseHeader_execute
@ -1967,6 +1998,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_setenv_execute
@ -1979,6 +2011,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_setvar_execute
@ -1991,6 +2024,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_expirevar_execute
@ -2003,6 +2037,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_deprecatevar_execute
@ -2015,6 +2050,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_initcol_execute
@ -2027,6 +2063,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_setsid_execute
@ -2039,6 +2076,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_setuid_execute
@ -2051,6 +2089,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        msre_action_exec_validate,
        NULL,
        msre_action_exec_execute
@ -2063,6 +2102,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        0, 0,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        NULL
@ -2075,6 +2115,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_MANY,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        NULL
@ -2087,6 +2128,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_prepend_execute
@ -2099,6 +2141,7 @@ void msre_engine_register_default_actions(msre_engine *engine) {
        1, 1,
        NO_PLUS_MINUS,
        ACTION_CARDINALITY_ONE,
+        ACTION_CGROUP_NONE,
        NULL,
        NULL,
        msre_action_append_execute