github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-13 05:22:34 +00:00
Code Issues Projects Releases Wiki Activity

Also let runc:[1:CHILD] count as an entrypoint.

Browse Source 
Handles cases where we lose system events and have incomplete state.
This commit is contained in:
Mark Stemm
2017-08-25 08:16:39 -07:00
parent 606af16f27
commit 6dfdadf527
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rules/falco_rules.yaml
View File

@@ -643,8 +643,11 @@
# As soon as 1:CHILD is created, 0:PARENT exits, so there's a race
# where at the time 2:INIT execs the root program, 0:PARENT might have
# already exited, or might still be around. So we handle both.
# We also let runc:[1:CHILD] count as the parent process, which can occur
# when we lose events and lose track of state.
- macro: container_entrypoint
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], docker-runc))
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc))
- rule: Launch Sensitive Mount Container
desc: >