From 7f761ade4b1be07af3d55935258db00bddcb605d Mon Sep 17 00:00:00 2001
From: Leonardo Di Donato <leodidonato@gmail.com>
Date: Thu, 17 Jun 2021 12:02:29 +0000
Subject: [PATCH] update(rules): introducing the macro
 consider_userfaultfd_activities to act as a gate

Co-authored-by: Kaizhe Huang <derek0405@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 rules/falco_rules.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 5d952a2a..618ff2d9 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3056,10 +3056,13 @@
   priority: WARNING
   tags: [container, cis, mitre_lateral_movement]
 
+- macro: consider_userfaultfd_activities
+  condition: (always_true)
+
 - rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
   desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
   condition: >
-    evt.type = userfaultfd and
+    consider_userfaultfd_activities and evt.type = userfaultfd and
     user.uid != 0 and
     (evt.rawres >= 0 or evt.res != -1)
   output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)