build: update the driver version to 2aa88dc

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
build: remove macrodefs about time (musl build)
2026-04-04 02:52:09 +00:00 · 2020-09-18 13:21:25 +02:00 · 2020-09-18 13:21:25 +02:00 · 2020-09-18 09:47:10 +02:00
3 changed files with 7 additions and 8 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,7 +57,7 @@ if(MINIMAL_BUILD)
 endif()

 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t")
+  set(MUSL_FLAGS "-static -Os")
 endif()

 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging
-  set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538")
+  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
+  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")

--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2859,17 +2859,16 @@
  tags: [container, mitre_execution]


-# This rule is not enabled by default, as there are legitimate use
-# cases for raw packet. If you want to enable it, modify the
-# following macro.
+# This rule is enabled by default. 
+# If you want to disable it, modify the following macro.
 - macro: consider_packet_socket_communication
-  condition: (never_true)
+  condition: (always_true)

 - list: user_known_packet_socket_binaries
  items: []

 - rule: Packet socket created in container
-  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
+  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker.
  condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
  output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority: NOTICE
Author	SHA1	Message	Date
Leonardo Grasso	3bedcc42d8	build: update the driver version to 2aa88dc Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2020-09-18 13:21:25 +02:00
Leonardo Grasso	30f29d8905	build: remove macrodefs about time (musl build) See https://github.com/draios/sysdig/pull/1684 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2020-09-18 13:21:25 +02:00
Hiroki Suezawa	5b926386a8	rule(macro consider_packet_socket_communication): change a value to always_true Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>	2020-09-18 09:47:10 +02:00