From c8c0a97f64ddc5f54aa90c8577dd50bbb5f75c5d Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 5 Jul 2017 14:12:54 -0700
Subject: [PATCH] Let Xvfb setuid.

X11 program.
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index d962c539..56e7974f 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -638,7 +638,7 @@
     evt.type=setuid and evt.dir=> and
     not user.name=root and not somebody_becoming_themself
     and not proc.name in (userexec_binaries, mail_binaries, docker_binaries,
-    sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
+    sshd, dbus-daemon-lau, ping, ping6, critical-stack-, Xvfb)
     and not java_running_sdjagent
   output: >
     Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname