Handle readonly File violation corner case for Audit mode

This commit adds new field ReadOnly to MatchPolicy struct.

Fixes: kubearmor#213

Signed-off-by: Ayush Dwivedi <ayush.dwivedi@accuknox.com>

KubeArmor/feeder/policyMatcher.go

@@ -99,6 +99,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fpt.Path
 		match.ResourceType = "Path"
 
+		match.ReadOnly = fpt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") {
 			match.Action = "Audit (" + fpt.Action + ")"
 		} else {
@@ -113,6 +115,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fdt.Directory
 		match.ResourceType = "Directory"
 
+		match.ReadOnly = fdt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fdt.Action, "Block") {
 			match.Action = "Audit (" + fdt.Action + ")"
 		} else {
@@ -126,6 +130,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
 		match.Resource = fpt.Pattern
 		match.ResourceType = "" // to be defined based on the pattern matching syntax
 
+		match.ReadOnly = fpt.ReadOnly
+
 		if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") {
 			match.Action = "Audit (" + fpt.Action + ")"
 		} else {
@@ -791,6 +797,12 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 
 							log.Type = "MatchedPolicy"
 							log.Action = secPolicy.Action
+
+							if log.Operation == "File" {
+								if secPolicy.ReadOnly && log.Data != "" && (strings.Contains(log.Data, "O_RDWR") || strings.Contains(log.Data, "O_WRONLY")) {
+									log.Action = "Audit (Block)"
+								}
+							}
 						}
 					}
 				}

KubeArmor/types/types.go

@@ -200,8 +200,9 @@ type MatchPolicy struct {
 	Resource     string
 	ResourceType string
 
-	Regexp *regexp.Regexp
-	Native bool
+	Regexp   *regexp.Regexp
+	Native   bool
+	ReadOnly bool
 
 	Action string
 }