From 52e8c16903d0fcf92e1604a56891877d7dde766c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lachance <jplachance@coveo.com>
Date: Tue, 20 Feb 2018 11:53:25 -0500
Subject: [PATCH] + Add the user_known_change_thread_namespace_binaries list to
 simplify "Change thread namespace" rule tweaks (#324)

sysdig-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
---
 rules/falco_rules.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2683fe23..1b3b2f5e 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1020,6 +1020,12 @@
 #     syscall=%evt.type args=%evt.args)
 #   priority: INFO
 
+# This list allows for easy additions to the set of commands allowed
+# to change thread namespace without having to copy and override the
+# entire change thread namespace rule.
+- list: user_known_change_thread_namespace_binaries
+  items: []
+
 - rule: Change thread namespace
   desc: >
     an attempt to change a program/thread\'s namespace (commonly done
@@ -1027,6 +1033,7 @@
   condition: >
     evt.type = setns
     and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
+    and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc:"
     and not proc.pname in (sysdigcloud_binaries)
     and not java_running_sdjagent