From daedcf172f52d423867518a1df29bb200a248654 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 26 Jun 2017 13:12:56 -0700
Subject: [PATCH] Let hhvm spawn shells.

http://hhvm.com/, "open-source virtual machine designed for executing
programs written in Hack and PHP."
---
 rules/falco_rules.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 15c6479d..cbb18023 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -476,7 +476,7 @@
     pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
     init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
     landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup,
-    npm, cloud-init, toybox, ceph
+    npm, cloud-init, toybox, ceph, hhvm
     ]
 
 - rule: Run shell untrusted
@@ -591,7 +591,7 @@
     and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries,
                            lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries,
                            monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron,
-                           erl_child_setup, ceph, PM2, pycompile, py3compile)
+                           erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm)
     and not trusted_containers
     and not shell_spawning_containers
     and not proc.cmdline in (known_container_shell_spawn_cmdlines)