From 9ff80995015dcc50c40517a8612e3a22d2dd578c Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Thu, 17 Jun 2021 12:10:37 +0000 Subject: [PATCH] update(userspace/engine): bump falco engine version Co-authored-by: Kaizhe Huang Signed-off-by: Leonardo Di Donato --- rules/falco_rules.yaml | 3 ++- userspace/engine/falco_engine_version.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 4721cb44..98d9bc7b 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3065,7 +3065,8 @@ - rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs condition: > - consider_userfaultfd_activities and evt.type = userfaultfd and + consider_userfaultfd_activities and + evt.type = userfaultfd and user.uid != 0 and (evt.rawres >= 0 or evt.res != -1) and not proc.name in (user_known_userfaultfd_activities) diff --git a/userspace/engine/falco_engine_version.h b/userspace/engine/falco_engine_version.h index 00dd48a0..c0c765b5 100644 --- a/userspace/engine/falco_engine_version.h +++ b/userspace/engine/falco_engine_version.h @@ -16,7 +16,7 @@ limitations under the License. // The version of rules/filter fields/etc supported by this falco // engine. -#define FALCO_ENGINE_VERSION (8) +#define FALCO_ENGINE_VERSION (9) // This is the result of running "falco --list -N | sha256sum" and // represents the fields supported by this version of falco. It's used