github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-02 01:22:16 +00:00
Code Issues Projects Releases Wiki Activity

Let runc write to /exec.fifo

Browse Source 
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-01-30 17:08:00 -08:00 committed by poiana
parent 7794e468ba
commit 01c9d8ba31
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@ -1353,6 +1353,9 @@
- macro: user_known_write_below_root_activities - macro: user_known_write_below_root_activities
condition: (never_true) condition: (never_true)
- macro: runc_writing_exec_fifo
condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)
- rule: Write below root - rule: Write below root
desc: an attempt to write to any file directly below / or /root desc: an attempt to write to any file directly below / or /root
condition: > condition: >
@ -1372,6 +1375,7 @@
and not galley_writing_state and not galley_writing_state
and not calico_writing_state and not calico_writing_state
and not rancher_writing_root and not rancher_writing_root
and not runc_writing_exec_fifo
and not known_root_conditions and not known_root_conditions
and not user_known_write_root_conditions and not user_known_write_root_conditions
and not user_known_write_below_root_activities and not user_known_write_below_root_activities