Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update the exe_running_docker_save macro to support docker in docker #951

Merged
merged 1 commit into from
Dec 4, 2019
Merged

Update the exe_running_docker_save macro to support docker in docker #951

merged 1 commit into from
Dec 4, 2019

Conversation

JPLachance
Copy link
Contributor

@JPLachance JPLachance commented Dec 3, 2019

What type of PR is this?
/kind bug
/kind rule-update

Any specific area of the project related to this PR?
/area rules

What this PR does / why we need it:
In an environment where Docker in Docker is overly used, we see multiple events where proc.cmdline contains exe / /var/lib/docker (notice the / between exe and /var/lib/docker).

A common use-case for Docker in Docker in a Kubernetes cluster is a Jenkins agent running as a Kubernetes pod using the docker.io/library/docker:stable-dind Docker image. Such agent is used in a Jenkins job to build container images.

We already have the exe_running_docker_save macro:

- macro: exe_running_docker_save
  condition: (proc.cmdline startswith "exe /var/lib/docker" and proc.pname in (dockerd, docker))

but we did not had any macro for exe / /var/lib/docker.

After discussing with multiple Falco maintainers in Slack, we think the best option is to modify the exe_running_docker_save macro to support Docker in Docker.

Which issue(s) this PR fixes:
I did not file an issue, here is a PR instead!

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of Docker in Docker

@Kaizhe
Copy link
Contributor

Kaizhe commented Dec 3, 2019

/lgtm

@poiana
Copy link
Contributor

poiana commented Dec 3, 2019

LGTM label has been added.

Git tree hash: 5724b3d29c290b8b053192e0afaf9419b8af6a71

@poiana poiana added the approved label Dec 3, 2019
@leodido leodido self-requested a review December 3, 2019 21:32
@Kaizhe
Copy link
Contributor

Kaizhe commented Dec 4, 2019

/lgtm

@poiana
Copy link
Contributor

poiana commented Dec 4, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kaizhe, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@leodido leodido merged commit 146343e into falcosecurity:dev Dec 4, 2019
@leodido
Copy link
Member

leodido commented Dec 4, 2019

/milestone 0.19.0

@poiana poiana added this to the 0.19.0 milestone Dec 4, 2019
@JPLachance JPLachance deleted the fix-exe-docker-save-in-docker branch February 4, 2020 21:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants