rule(Update Package Repository): restrict files

Previously any write to a file called sources.list would match the
access_repositories condition, even a file /usr/tmp/..../sources.list.

Change the macro so the files in repository_files must be somewhere
below any of repository_directories.

Also allow programs spawned by package management programs to change
these files, using package_mgmt_ancestor_procs.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

rules/falco_rules.yaml

@@ -935,10 +935,12 @@
   items: [sources.list]
 
 - list: repository_directories
-  items: [/etc/apt/sources.list.d, /etc/yum.repos.d]
+  items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt]
 
 - macro: access_repositories
-  condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
+  condition: (fd.directory in (repository_directories) or
+              (fd.name pmatch (repository_directories) and
+               fd.filename in (repository_files)))
 
 - macro: modify_repositories
   condition: (evt.arg.newpath pmatch (repository_directories))
@@ -951,6 +953,7 @@
   condition: >
     ((open_write and access_repositories) or (modify and modify_repositories))
     and not package_mgmt_procs
+    and not package_mgmt_ancestor_procs
     and not exe_running_docker_save
     and not user_known_update_package_registry
   output: >