Use pmatch instead of fd.directory

Use pmatch, which compares a file against a set of prefix paths, instead of fd.directory. This allows the directories in safe_etc_dirs to be a prefix of a file instead of just the directory containing a file.
2025-09-15 22:38:26 +00:00 · 2017-08-22 14:24:18 -07:00
parent fbfd540ad2
commit 75a44a67f9
1 changed files with 1 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -394,7 +394,7 @@
                          gen_resolvconf., update-ca-certi, certbot, runsv,
                          qualys-cloud-ag)
    and not proc.pname in (sysdigcloud_binaries, sendmail_config_binaries)
-    and not fd.directory in (safe_etc_dirs)
+    and not fd.name pmatch (safe_etc_dirs)
    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json)
    and not ansible_running_python
    and not python_running_denyhosts