From dc44655ec2bac2ee85020982e35aa832f9ae5ed1 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 10:12:03 -0700 Subject: [PATCH] Change how we detect entrypoints. Move entrypoint detection to its own macro. Also consider something the entrypoint if its parent is runc:[0:PARENT]. There's a race where runc:[0:PARENT] exits in parallel with the root program being execd, so the parent might not exist or might have this name. --- rules/falco_rules.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 3f2b46a7..9033a007 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -578,6 +578,17 @@ - macro: sensitive_mount condition: (container.mount.dest[/proc*] != "N/A") +# The steps libcontainer performs to set up the root program for a container are: +# - clone + exec self to a program runc:[0:PARENT] +# - clone a program runc:[1:CHILD] which sets up all the namespaces +# - clone a second program runc:[2:INIT] + exec to the root program. +# The parent of runc:[2:INIT] is runc:0:PARENT] +# As soon as 1:CHILD is created, 0:PARENT exits, so there's a race +# where at the time 2:INIT execs the root program, 0:PARENT might have +# already exited, or might still be around. So we handle both. +- macro: container_entrypoint + condition: (not proc.pname exists or proc.pname=runc:[0:PARENT]) + - rule: Launch Sensitive Mount Container desc: > Detect the initial process started by a container that has a mount from a sensitive host directory @@ -653,7 +664,7 @@ condition: > spawned_process and container and shell_procs - and proc.pname exists + and not container_entrypoint and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries, lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries, user_known_container_shell_spawn_binaries,