From b993683b96a876dbc8b5a36ce9019ab7b0b95235 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Thu, 26 Oct 2017 09:35:52 -0700
Subject: [PATCH] Let java running maven spawn shells

---
 rules/falco_rules.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f7a2af84..5805f935 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -386,6 +386,10 @@
     (proc.pname=java and proc.pcmdline contains jenkins.war
     or proc.pcmdline contains /tmp/slave.jar)
 
+- macro: parent_java_running_maven
+  condition: >
+    (proc.pname=java and proc.pcmdline contains "-classpath /usr/share/maven/")
+
 - macro: parent_cpanm_running_perl
   condition: (proc.pname=perl and proc.aname[2]=cpanm)
 
@@ -1065,6 +1069,7 @@
     and not run_by_h2o
     and not run_by_passenger_agent
     and not parent_java_running_jenkins
+    and not parent_java_running_maven
     and not parent_beam_running_python
     and not jenkins_scripts
     and not bundle_running_ruby