Handle readonly File violation corner case for Audit mode

This commit adds new field ReadOnly to MatchPolicy struct. Fixes: kubearmor#213 Signed-off-by: Ayush Dwivedi <ayush.dwivedi@accuknox.com>
oneiro-naut · Jul 28, 2021 · 2f58fdd · 2f58fdd
1 parent 490bb56
commit 2f58fdd
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
@@ -99,6 +99,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fpt.Path
 		match.ResourceType = "Path"
 
+		match.ReadOnly = fpt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") {
 			match.Action = "Audit (" + fpt.Action + ")"
 		} else {
@@ -113,6 +115,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fdt.Directory
 		match.ResourceType = "Directory"
 
+		match.ReadOnly = fdt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fdt.Action, "Block") {
 			match.Action = "Audit (" + fdt.Action + ")"
 		} else {
@@ -126,6 +130,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fpt.Pattern
 		match.ResourceType = "" // to be defined based on the pattern matching syntax
 
+		match.ReadOnly = fpt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") {
 			match.Action = "Audit (" + fpt.Action + ")"
 		} else {
@@ -791,6 +797,12 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 
 							log.Type = "MatchedPolicy"
 							log.Action = secPolicy.Action
+
+							if log.Operation == "File" {
+								if secPolicy.ReadOnly && log.Data != "" && (strings.Contains(log.Data, "O_RDWR") || strings.Contains(log.Data, "O_WRONLY")) {
+									log.Action = "Block"
+								}
+							}
 						}
 					}
 				}
@@ -918,6 +930,11 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 			// 	return tp.Log{}
 			// }
 
+			if log.PolicyEnabled == tp.KubeArmorPolicyAudited && log.Action == "Block" {
+				log.Action = "Audit (Block)"
+				return log
+			}
+
 			return log
 		}
 	} else { // host

diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go
@@ -200,8 +200,9 @@ type MatchPolicy struct {
 	Resource     string
 	ResourceType string
 
-	Regexp *regexp.Regexp
-	Native bool
+	Regexp   *regexp.Regexp
+	Native   bool
+	ReadOnly bool
 
 	Action string
 }

diff --git a/tests/scenarios/multiubuntu_test_9/cmd2 b/tests/scenarios/multiubuntu_test_9/cmd2
@@ -4,4 +4,4 @@ result: failed
 ---
 operation: File
 condition: password
-action: Allow
+action: Block