Skip to content

Commit

Permalink
Add runc to the list of possible container entrypoint parents
Browse files Browse the repository at this point in the history 
Docker versions >= 18.09 removed the "docker-" prefix, so include runc
in the list.

Signed-off-by: Mattia Pagnozzi <mattia.pagnozzi@gmail.com>
  • Loading branch information
@mattpag @fntlnz
mattpag authored and fntlnz committed Jul 9, 2019
1 parent fdbd520 commit a32870a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1832,7 +1832,7 @@
# when we lose events and lose track of state.

- macro: container_entrypoint
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc, exe))
condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], runc, docker-runc, exe))

- rule: Launch Sensitive Mount Container
desc: >
Expand Down

0 comments on commit a32870a

Please sign in to comment.