github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-29 19:23:16 +00:00
Code Issues Projects Releases Wiki Activity

Also let docker-runc denote an entrypoint.

Browse Source
This commit is contained in:
Mark Stemm 2017-08-25 08:05:58 -07:00
parent 276ab9139f
commit a4d3d4d731
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/falco_rules.yaml
View File

@ -644,7 +644,7 @@
# where at the time 2:INIT execs the root program, 0:PARENT might have
# already exited, or might still be around. So we handle both.
- macro: container_entrypoint
condition: (not proc.pname exists or proc.pname=runc:[0:PARENT])
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], docker-runc))
- rule: Launch Sensitive Mount Container
desc: >