mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-13 05:22:34 +00:00
Also let runc:[1:CHILD] count as an entrypoint.
Handles cases where we lose system events and have incomplete state.
This commit is contained in:
@@ -643,8 +643,11 @@
|
||||
# As soon as 1:CHILD is created, 0:PARENT exits, so there's a race
|
||||
# where at the time 2:INIT execs the root program, 0:PARENT might have
|
||||
# already exited, or might still be around. So we handle both.
|
||||
# We also let runc:[1:CHILD] count as the parent process, which can occur
|
||||
# when we lose events and lose track of state.
|
||||
|
||||
- macro: container_entrypoint
|
||||
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], docker-runc))
|
||||
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc))
|
||||
|
||||
- rule: Launch Sensitive Mount Container
|
||||
desc: >
|
||||
|
Reference in New Issue
Block a user