只有任意规则匹配上了才会执行自定义的逻辑

logs/execve.log

@@ -0,0 +1,102 @@
+[Thu Apr 10 13:38:46 2025
+] Command: /bin/lesspipe
+arg[0]: lesspipe
+[Thu Apr 10 13:38:46 2025
+] Command: /bin/dircolors
+arg[0]: dircolors
+arg[1]: -b
+[Thu Apr 10 13:38:48 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+arg[2]: -CF
+[Thu Apr 10 13:38:57 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+[Thu Apr 10 13:39:06 2025
+] Command: /usr/lib/command-not-found
+arg[0]: /usr/lib/command-not-found
+arg[1]: --
+arg[2]: nvidia-smi
+[Thu Apr 10 13:39:26 2025
+] Command: /bin/rm
+arg[0]: rm
+[Thu Apr 10 13:39:30 2025
+] Command: /bin/rm
+arg[0]: rm
+arg[1]: -rf
+arg[2]: ./Makefile
+arg[3]: ./README.md
+arg[4]: ./build
+arg[5]: ./config
+arg[6]: ./logs
+arg[7]: ./output.txt
+arg[8]: ./src
+arg[9]: ./test_bash.sh
+arg[10]: ./tests
+[Thu Apr 10 13:40:41 2025
+] Command: /bin/lesspipe
+arg[0]: lesspipe
+[Thu Apr 10 13:40:41 2025
+] Command: /bin/dircolors
+arg[0]: dircolors
+arg[1]: -b
+[Thu Apr 10 13:40:48 2025
+] Command: /home/qcqcqc/miniconda3/bin/python
+arg[0]: python
+[Thu Apr 10 13:41:01 2025
+] Command: /home/qcqcqc/miniconda3/bin/pip
+arg[0]: pip
+arg[1]: install
+arg[2]: abcdefaaaaa
+[Thu Apr 10 16:50:23 2025
+] Command: /bin/lesspipe
+arg[0]: lesspipe
+[Thu Apr 10 16:50:23 2025
+] Command: /bin/dircolors
+arg[0]: dircolors
+arg[1]: -b
+[Thu Apr 10 16:50:25 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+[Thu Apr 10 16:50:25 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+arg[2]: -CF
+[Sat Apr 12 10:04:23 2025
+] Command: /bin/lesspipe
+arg[0]: lesspipe
+[Sat Apr 12 10:04:23 2025
+] Command: /bin/dircolors
+arg[0]: dircolors
+arg[1]: -b
+[Sat Apr 12 10:04:26 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+arg[2]: -CF
+[Sat Apr 12 10:04:43 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+[Sat Apr 12 10:06:47 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+[Sat Apr 12 10:08:51 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+arg[2]: -CF
+[Sat Apr 12 10:08:52 2025
+] Command: /bin/ls
+arg[0]: ls
+arg[1]: --color=auto
+[Sat Apr 12 10:14:16 2025
+] Command: /home/qcqcqc/miniconda3/bin/pip
+arg[0]: pip
+arg[1]: install
+arg[2]: torch

logs/execve_out.log

@@ -0,0 +1,49 @@
+
[DEBUG][PID 176170] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 176170] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build/  config/  logs/  output.txt  src/  test_bash.sh*  tests/
+
[DEBUG][PID 176315] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 176315] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build  config  logs  output.txt  src  test_bash.sh  tests
+
[DEBUG][PID 177976] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 177976] src/pty_dup.c:50:dupIO(): Child process ready.
+Python 3.12.9 | packaged by Anaconda, Inc. | (main, Feb  6 2025, 18:56:27) [GCC 11.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> 
[DEBUG][PID 178205] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 178205] src/pty_dup.c:50:dupIO(): Child process ready.
+Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple
+ERROR: Could not find a version that satisfies the requirement abcdefaaaaa (from versions: none)
+ERROR: No matching distribution found for abcdefaaaaa
+
[DEBUG][PID 458319] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 458319] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build  config  logs  output.txt  src  test_bash.sh  tests
+
[DEBUG][PID 458327] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 458327] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build/  config/  logs/  output.txt  src/  test_bash.sh*  tests/
+Welcome to the System!
+
[DEBUG][PID 2236478] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 2236478] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build/  config/  logs/  output.txt  src/  test_bash.sh*  tests/
+Welcome to the System!
+
[DEBUG][PID 2236933] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 2236933] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build  config  logs  output.txt  src  test_bash.sh  tests
+
[DEBUG][PID 2240596] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 2240596] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build  config  logs  output.txt  src  test_bash.sh  tests
+欢迎使用北冥云计算服务!
+
[DEBUG][PID 2244514] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 2244514] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build/  config/  logs/  output.txt  src/  test_bash.sh*  tests/
+欢迎使用北冥云计算服务!
+
[DEBUG][PID 2244525] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 2244525] src/pty_dup.c:50:dupIO(): Child process ready.
+Makefile  README.md  build  config  logs  output.txt  src  test_bash.sh  tests
+
[DEBUG][PID 2252763] src/pty_dup.c:43:dupIO(): forkpty result is: 0.
+
[DEBUG][PID 2252763] src/pty_dup.c:50:dupIO(): Child process ready.
+欢迎使用北冥云计算服务!
+Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple
+Collecting torch
+  Downloading https://pypi.tuna.tsinghua.edu.cn/packages/e5/35/0c52d708144c2deb595cd22819a609f78fdd699b95ff6f0ebcd456e3c7c1/torch-2.6.0-cp312-cp312-manylinux1_x86_64.whl (766.6 MB)
+[?25l     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0/766.6 MB ? eta -:--:--
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.3/766.6 MB ? eta -:--:--
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.0/766.6 MB 3.8 MB/s eta 0:03:23
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.6/766.6 MB 5.6 MB/s eta 0:02:17
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.9/766.6 MB 5.9 MB/s eta 0:02:10
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 5.5/766.6 MB 6.4 MB/s eta 0:01:59
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.9/766.6 MB 7.3 MB/s eta 0:01:45
     ╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 9.7/766.6 MB 7.9 MB/s eta 0:01:36
     ╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 12.1/766.6 MB 8.1 MB/s eta 0:01:33
     ╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13.9/766.6 MB 8.5 MB/s eta 0:01:29
     ╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 16.3/766.6 MB 8.7 MB/s eta 0:01:27
     ╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 19.1/766.6 MB 9.2 MB/s eta 0:01:22
     ━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 21.0/766.6 MB 9.3 MB/s eta 0:01:21
     ━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 23.1/766.6 MB 9.4 MB/s eta 0:01:19
     ━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 23.1/766.6 MB 9.4 MB/s eta 0:01:19
+[?25hERROR: Operation cancelled by user
+

src/execve_interceptor.c

@@ -122,8 +122,6 @@ int enhance_execve(const char *filename, char *const argv[],
 #endif
     }
 
-    write_log(filename, argv);
-
     const char *basename = argv[0];
     if (strcmp(filename, COMMAND_NOT_FOUND) == 0 && argv[2]) {
         basename = argv[2];
@@ -141,9 +139,11 @@ int enhance_execve(const char *filename, char *const argv[],
 #endif
     }
 
+    int hasMatch = 0;
     for (int i = 0; i < shared_config->rule_count; i++) {
         if (strcmp(basename, shared_config->rules[i].cmd) == 0 &&
             args_match(argv, &shared_config->rules[i])) {
+            hasMatch++;
             DEBUG_LOG("Rule matched: %s (type: %s)",
                       shared_config->rules[i].cmd,
                       shared_config->rules[i].type);
@@ -179,6 +179,18 @@ int enhance_execve(const char *filename, char *const argv[],
         }
     }
 
+    if (hasMatch == 0) {
+        // 直接执行
+#ifdef HOOK
+        return orig_execve(filename, argv, envp);
+#else
+        return execve(filename, argv, envp);
+// return 1;
+#endif
+    }
+
+    write_log(filename, argv);
+
     // Duplicate stdout and stderr to the log file
     dupIO();