search

falcosecurity / libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources
https://falcosecurity.github.io/libs/
Apache License 2.0
212 stars 159 forks source link

[Feature] Support bitmap to access non-init namespaces threads via filterchecks #865

Closed incertum closed 1 year ago

incertum commented 1 year ago

Motivation

Support bitmap to access non-init namespaces threads via filterchecks. The concept of pid namespaces etc extends beyond the concept of containers in libsinsp. Adding these new capabilities would enable more granular monitoring of processes that aren't running in containers, but technically also not exactly in the host pid namespace.

Feature

Quote @gnosek: prefer a bitmap of non-init namespaces the thread is in and a separate filtercheck to access them, otherwise we're one PR away from host_pidns_netns_ipc_user etc -> I think this would be the right engineering approach, thanks a bunch for your input @gnosek.

Additional context

See https://github.com/falcosecurity/libs/pull/860#issuecomment-1418694527 @gnosek CC @terylt

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

incertum commented 1 year ago

Marking it as non planned for the moment. We can choose to re-open this at a later point.