From 7ac49a2f99c8373a3787f5d3b803268d7fc038a5 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 28 Jun 2017 11:38:14 -0700
Subject: [PATCH] Also allow sysdig agent to setuid.

It was already allowed to change namespaces.
---
 rules/falco_rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 8c82cc60..ccb7c5e4 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -636,6 +636,7 @@
     not user.name=root and not somebody_becoming_themself
     and not proc.name in (userexec_binaries, mail_binaries, docker_binaries,
     sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
+    and not java_running_sdjagent
   output: >
     Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid)