From 19327e0e85a2eebd1ed53a41ccf315bd17aaa975 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 2 Apr 2019 15:12:31 -0700
Subject: [PATCH] Skip incomplete container info for container start (#570)

* Skip incomplete container info for container start

In the container_started macro, ensure that the container metadata is
complete after either the container event (very unlikely) or after the
exec of the first process into the container (very likely now that
container metadata fetches are async).

When using these rules with older falco versions, this macro will still
work as the synchronous container metadata fetch will result in a
repository that isn't "incomplete".

* Update test traces to have full container info

Some test trace files used for regression tests didn't have full
container info, and once we started looking for those fields, the tests
stopped working.

So update the traces, and event counts to match.
---
 rules/falco_rules.yaml    | 5 ++++-
 test/falco_traces.yaml.in | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 33f4bb4e..63bef23b 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -338,7 +338,10 @@
   condition: container.id != host
 
 - macro: container_started
-  condition: (evt.type = container or (evt.type=execve and evt.dir=< and proc.vpid=1))
+  condition: >
+    ((evt.type = container or
+     (evt.type=execve and evt.dir=< and proc.vpid=1)) and
+     container.image.repository != incomplete)
 
 - macro: interactive
   condition: >
diff --git a/test/falco_traces.yaml.in b/test/falco_traces.yaml.in
index a16d627c..ef949bf4 100644
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -34,14 +34,14 @@ traces: !mux
     detect: True
     detect_level: INFO
     detect_counts:
-      - "Launch Privileged Container": 1
+      - "Launch Privileged Container": 2
 
   container-sensitive-mount:
     trace_file: traces-positive/container-sensitive-mount.scap
     detect: True
     detect_level: INFO
     detect_counts:
-      - "Launch Sensitive Mount Container": 1
+      - "Launch Sensitive Mount Container": 2
 
   create-files-below-dev:
     trace_file: traces-positive/create-files-below-dev.scap