From 2f58fdd8a7c36ad24413305db49c363773902576 Mon Sep 17 00:00:00 2001
From: Ayush Dwivedi <ayush.dwivedi@accuknox.com>
Date: Wed, 28 Jul 2021 17:06:52 +0530
Subject: [PATCH] Handle readonly File violation corner case for Audit mode

This commit adds new field ReadOnly to MatchPolicy struct.

Fixes: #213

Signed-off-by: Ayush Dwivedi <ayush.dwivedi@accuknox.com>
---
 KubeArmor/feeder/policyMatcher.go       | 17 +++++++++++++++++
 KubeArmor/types/types.go                |  5 +++--
 tests/scenarios/multiubuntu_test_9/cmd2 |  2 +-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
index cdee436c26..bcfd7113ff 100644
--- a/KubeArmor/feeder/policyMatcher.go
+++ b/KubeArmor/feeder/policyMatcher.go
@@ -99,6 +99,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fpt.Path
 		match.ResourceType = "Path"
 
+		match.ReadOnly = fpt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") {
 			match.Action = "Audit (" + fpt.Action + ")"
 		} else {
@@ -113,6 +115,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fdt.Directory
 		match.ResourceType = "Directory"
 
+		match.ReadOnly = fdt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fdt.Action, "Block") {
 			match.Action = "Audit (" + fdt.Action + ")"
 		} else {
@@ -126,6 +130,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fpt.Pattern
 		match.ResourceType = "" // to be defined based on the pattern matching syntax
 
+		match.ReadOnly = fpt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") {
 			match.Action = "Audit (" + fpt.Action + ")"
 		} else {
@@ -791,6 +797,12 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 
 							log.Type = "MatchedPolicy"
 							log.Action = secPolicy.Action
+
+							if log.Operation == "File" {
+								if secPolicy.ReadOnly && log.Data != "" && (strings.Contains(log.Data, "O_RDWR") || strings.Contains(log.Data, "O_WRONLY")) {
+									log.Action = "Block"
+								}
+							}
 						}
 					}
 				}
@@ -918,6 +930,11 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 			// 	return tp.Log{}
 			// }
 
+			if log.PolicyEnabled == tp.KubeArmorPolicyAudited && log.Action == "Block" {
+				log.Action = "Audit (Block)"
+				return log
+			}
+
 			return log
 		}
 	} else { // host
diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go
index 7ece79f871..faa742c327 100644
--- a/KubeArmor/types/types.go
+++ b/KubeArmor/types/types.go
@@ -200,8 +200,9 @@ type MatchPolicy struct {
 	Resource     string
 	ResourceType string
 
-	Regexp *regexp.Regexp
-	Native bool
+	Regexp   *regexp.Regexp
+	Native   bool
+	ReadOnly bool
 
 	Action string
 }
diff --git a/tests/scenarios/multiubuntu_test_9/cmd2 b/tests/scenarios/multiubuntu_test_9/cmd2
index f9635ee2f6..12b68ccceb 100644
--- a/tests/scenarios/multiubuntu_test_9/cmd2
+++ b/tests/scenarios/multiubuntu_test_9/cmd2
@@ -4,4 +4,4 @@ result: failed
 ---
 operation: File
 condition: password
-action: Allow
+action: Block