+ Add the user_known_change_thread_namespace_binaries list to simplif…

…y "Change thread namespace" rule tweaks (#324) sysdig-CLA-1.0-signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
falcosecurity · Feb 20, 2018 · 52e8c16 · 52e8c16
1 parent 414c9a0
commit 52e8c16
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1020,13 +1020,20 @@
 #     syscall=%evt.type args=%evt.args)
 #   priority: INFO
 
+# This list allows for easy additions to the set of commands allowed
+# to change thread namespace without having to copy and override the
+# entire change thread namespace rule.
+- list: user_known_change_thread_namespace_binaries
+  items: []
+
 - rule: Change thread namespace
   desc: >
     an attempt to change a program/thread\'s namespace (commonly done
     as a part of creating a container) by calling setns.
   condition: >
     evt.type = setns
     and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
+    and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc:"
     and not proc.pname in (sysdigcloud_binaries)
     and not java_running_sdjagent