Skip to content

fix(rules): fixed container_started macro adapting to new container plugin #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(rules): fixed container_started macro adapting to new container plugin #295

wants to merge 1 commit into from
+2 −10

Conversation

FedeDP
Copy link
Contributor

@FedeDP FedeDP commented Jun 13, 2025

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area rules

Proposed rule maturity level

/area maturity-incubating
/area maturity-sandbox

What this PR does / why we need it:

In container_started macro, avoid using the meta, internal container event to check for spawned containers, since the new container plugin will send that event before the first process inside the container has spawned.
Instead, just rely on vpid==1 and container.id!=host.

Which issue(s) this PR fixes:

See falcosecurity/falco#3610

Fixes #

Special notes for your reviewer:

@poiana poiana added the kind/bug Something isn't working label Jun 13, 2025
@poiana poiana added dco-signoff: yes area/rules area/maturity-incubating See the Rules Maturity Framework area/maturity-sandbox See the Rules Maturity Framework labels Jun 13, 2025
@poiana
Copy link

poiana commented Jun 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana requested review from darryk10 and Kaizhe June 13, 2025 09:34
@FedeDP
Copy link
Contributor Author

FedeDP commented Jun 13, 2025

Tested with Falco 0.41.0.

@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 2b2dbadb0d1f93f1f75e82160484102f24c45212 with latest tag falco-incubating-rules-5.0.0

Major changes:

  • Rule Launch Privileged Container matches less events than before
  • Rule Launch Excessively Capable Container matches less events than before
  • Macro container_started matches different events than before

falco-sandbox_rules.yaml

Comparing 2b2dbadb0d1f93f1f75e82160484102f24c45212 with latest tag falco-sandbox-rules-5.0.0

Major changes:

  • Rule Launch Sensitive Mount Container matches less events than before
  • Rule Launch Disallowed Container matches less events than before
  • Macro container_started matches different events than before

@FedeDP FedeDP mentioned this pull request Jun 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darryk10 darryk10 Awaiting requested review from darryk10

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
approved area/maturity-incubating See the Rules Maturity Framework area/maturity-sandbox See the Rules Maturity Framework area/rules dco-signoff: yes kind/bug Something isn't working size/S
Projects
Falco Roadmap
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@FedeDP @poiana