mirror of
https://github.com/falcosecurity/falco.git
synced 2026-01-21 14:14:05 +00:00
3b390793b9
It turns out that the macro inbound_outbound had a logical bug where joining the beginning and end of the macro with "or" led to the macro matching all event types by accident. Most of the time this isn't harmful but it turns out some trace files will do operations on inet connection fds like "dup", and those get mistakenly picked up by this macro, as the fd for the event does happen to be a network connection fd. This fixes the macro to only match those event types *and* when the fd is a inet connection fd. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>