From 2467766f071392d7bb8deb5558f92bd80cfcc9af Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 8 Nov 2017 13:41:43 -0800
Subject: [PATCH] Add addl shell spawn conditions

flock can spawn shells, new allowed shell cmdline.
---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4c34a4f8..27e5aa10 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1058,6 +1058,7 @@
     '"sh -c getconf CLK_TCK"',
     '"sh -c getconf PAGESIZE"',
     '"sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null"',
+    '"sh -c LANG=C /sbin/ldconfig -p 2>/dev/null"',
     '"sh -c /sbin/ldconfig -p 2>/dev/null"',
     '"sh -c stty -a 2>/dev/null"',
     '"sh -c node index.js"',
@@ -1133,7 +1134,7 @@
                            runsv, supervisord, varnishd, crond, logrotate, timeout, tini,
                            xrdb, xfce4-session, weave, logdna-agent, bundle, configure, luajit, nginx,
                            beam.smp, paster, postfix-local, hawkular-metric, fluentd, x2gormforward,
-                           '"[celeryd:"')
+                           '"[celeryd:"', flock)
     and not trusted_containers
     and not shell_spawning_containers
     and not parent_java_running_echo