Skip to content

Commit

Permalink
fix(policymatcher): skip future matching in case block/audit matches
Browse files Browse the repository at this point in the history
Signed-off-by: daemon1024 <[email protected]>
  • Loading branch information
daemon1024 authored and Aryan-sharma11 committed Sep 2, 2024
1 parent c8471b1 commit d572138
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions KubeArmor/feeder/policyMatcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -1054,6 +1054,11 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
continue
}

// when one of the below rule is already matched for the log event, we will skip for further matches
if skip {
break // break, so that once source is matched for a log it doesn't look for other cases
}

// match sources
if (!secPolicy.IsFromSource) || (secPolicy.IsFromSource && (secPolicy.Source == log.ParentProcessName || secPolicy.Source == log.ProcessName)) {
matchedRegex := false
Expand Down Expand Up @@ -1159,6 +1164,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
log.Enforcer = "eBPF Monitor"
log.Action = secPolicy.Action

skip = true
continue
}

Expand Down Expand Up @@ -1190,6 +1196,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {

log.Action = secPolicy.Action

skip = true
continue
}

Expand Down

0 comments on commit d572138

Please sign in to comment.