From d57213876e46d9b12ecb8884ac5abf8236e3e11d Mon Sep 17 00:00:00 2001
From: daemon1024 <barun1024@gmail.com>
Date: Mon, 26 Aug 2024 21:18:25 +0530
Subject: [PATCH] fix(policymatcher): skip future matching in case block/audit
 matches

Signed-off-by: daemon1024 <barun1024@gmail.com>
---
 KubeArmor/feeder/policyMatcher.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
index a04a3fde7e..f77cff3b56 100644
--- a/KubeArmor/feeder/policyMatcher.go
+++ b/KubeArmor/feeder/policyMatcher.go
@@ -1054,6 +1054,11 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 					continue
 				}
 
+				// when one of the below rule is already matched for the log event, we will skip for further matches
+				if skip {
+					break // break, so that once source is matched for a log it doesn't look for other cases
+				}
+
 				// match sources
 				if (!secPolicy.IsFromSource) || (secPolicy.IsFromSource && (secPolicy.Source == log.ParentProcessName || secPolicy.Source == log.ProcessName)) {
 					matchedRegex := false
@@ -1159,6 +1164,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 							log.Enforcer = "eBPF Monitor"
 							log.Action = secPolicy.Action
 
+							skip = true
 							continue
 						}
 
@@ -1190,6 +1196,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
 
 							log.Action = secPolicy.Action
 
+							skip = true
 							continue
 						}