search

falcosecurity / rules

Falco rule repository
https://falcosecurity.github.io/rules/
Apache License 2.0
91 stars 64 forks source link

[TRACKING] update `container_entrypoint` for all runtimes given new process tree behavior #133

Closed incertum closed 9 months ago

incertum commented 10 months ago

Update container_entrypoint macro for all runtimes given new process tree behavior.

Opening this for tracking to ensure we complete this for Falco 0.36.0 as we need a bit of team work on this one. @Andreagit97 @darryk10 @loresuso.

P1

Other

Andreagit97 commented 10 months ago

docker should use containerd + runc under the hood so we should be fine (?) I've taken these captures using docker

v [tail] tid: 107370, pid: 107370, ptid 107364, vtid: 19, vpid: 19, reaper: 0
v [sh] tid: 107364, pid: 107364, ptid: 107357, vtid: 13, vpid: 13, reaper: 0
v [containerd-shim] tid: 107196, pid: 107196, ptid: 100562, vtid: 1943, vpid: 1943, reaper: 1
v [systemd] tid: 100562, pid: 100562, ptid: 100542, vtid: 1, vpid: 1, reaper: 1,
v [containerd-shim] tid: 100542, pid: 100542, ptid: 1, vtid: 100542, vpid: 100542, reaper: 0
v [systemd] tid: 1, pid: 1, ptid: 0, vtid: 1, vpid: 1, reaper: 1
v [tail] tid: 107370, pid: 107370, ptid 107364, vtid: 19, vpid: 19, reaper: 0
v [sh] tid: 107364, pid: 107364, ptid: 107357, vtid: 13, vpid: 13, reaper: 0
v {runc} tid: 107357, pid: 107354, ptid: 107204, vtid: 2019, vpid: 2016, reaper: 0
v {containerd-shim} tid: 107204, pid: 107196, ptid: 100562, vtid: 1951, vpid: 1943, reaper: 0,
v [systemd] tid: 100562, pid: 100562, ptid: 100542, vtid: 1, vpid: 1, reaper: 1,
v [containerd-shim] tid: 100542, pid: 100542, ptid: 1, vtid: 100542, vpid: 100542, reaper: 0
v [systemd] tid: 1, pid: 1, ptid: 0, vtid: 1, vpid: 1, reaper: 1

Bonus: i was wondering if we could use other methods to detect a shell instead of using the pname, but right now I have no too many ideas :/

incertum commented 10 months ago

Thanks for double checking @Andreagit97, just now had a minute to test launch a pod using crictl and cri-o runtime and I observed runc -> crio -> systemd hence crio could be a parent in case runc already exited.

PR for that is up.

incertum commented 9 months ago

Not sure if the other container runtimes were even considered in the container_entrypoint macro before. Therefore marking this as completed.