Improved inbound/outbound macros (#470)

* Improved inbound/outbound macros

Improved versions of inbound/outbound macros that add coverage for
recvfrom/recvmsg, sendto/sendmsg and also ignore non-blocking syscalls
in a different way.

* Let nginx-ingress-c(ontroller) write to /etc/nginx

Process truncated due to comm limit.

Also fix some parentheses for another write_etc_common macro.

* Let calico setns also.

* Let prometheus-conf write its config

Let prometheus-conf write its config below /etc/prometheus.

* Let openshift oc write to /etc/origin/node

rules/falco_rules.yaml

@@ -268,14 +268,18 @@
 # Network
 - macro: inbound
   condition: >
-    (((evt.type in (accept,listen) and evt.dir=<)) or
+    (((evt.type in (accept,listen) and evt.dir=<) or
+      (evt.type in (recvfrom,recvmsg) and evt.dir=< and
+       fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
      (fd.typechar = 4 or fd.typechar = 6) and
      (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
      (evt.rawres >= 0 or evt.res = EINPROGRESS))
 
 - macro: outbound
   condition: >
-    (((evt.type = connect and evt.dir=<)) or
+    (((evt.type = connect and evt.dir=<) or
+      (evt.type in (sendto,sendmsg) and evt.dir=< and
+       fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
      (fd.typechar = 4 or fd.typechar = 6) and
      (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
      (evt.rawres >= 0 or evt.res = EINPROGRESS))
@@ -634,7 +638,7 @@
   condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom))
 
 - macro: nginx_writing_conf
-  condition: (proc.name=nginx and fd.name startswith /etc/nginx)
+  condition: (proc.name in (nginx,nginx-ingress-c) and fd.name startswith /etc/nginx)
 
 - macro: nginx_writing_certs
   condition: >
@@ -845,12 +849,18 @@
   condition: (proc.aname[2] in (dpkg-reconfigur, dpkg-preconfigu))
 
 - macro: ufw_writing_conf
-  condition: proc.name=ufw and fd.directory=/etc/ufw
+  condition: (proc.name=ufw and fd.directory=/etc/ufw)
 
 - macro: calico_writing_conf
   condition: >
     (proc.name = calico-node and fd.name startswith /etc/calico)
-    
+
+- macro: prometheus_conf_writing_conf
+  condition: (proc.name=prometheus-conf and fd.directory=/etc/prometheus/config_out)
+
+- macro: openshift_writing_conf
+  condition: (proc.name=oc and fd.name=/etc/origin/node/node.kubeconfig)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -954,6 +964,8 @@
     and not istio_writing_conf
     and not ufw_writing_conf
     and not calico_writing_conf
+    and not prometheus_conf_writing_conf
+    and not openshift_writing_conf
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc
@@ -1164,7 +1176,7 @@
     as a part of creating a container) by calling setns.
   condition: >
     evt.type = setns
-    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
+    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter, calico)
     and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc:"
     and not proc.pname in (sysdigcloud_binaries)