fix(rules)!: require explicit accept4 reference, overlapping syscall …

…names deprecated A major refactor of Falco now exposes each syscall Falco's libs supports to the end user :) At the same time we deprecate overlapping syscall names, see falcosecurity/falco#2443 (comment) Official support starts with Falco 0.35.0 Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Signed-off-by: incertum <melissa.kilby.oss@gmail.com>
falcosecurity · Apr 3, 2023 · 694adf5 · 694adf5
1 parent e0646a0
commit 694adf5
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -321,7 +321,7 @@
 # Network
 - macro: inbound
   condition: >
-    (((evt.type in (accept,listen) and evt.dir=<) or
+    (((evt.type in (accept,accept4,listen) and evt.dir=<) or
       (evt.type in (recvfrom,recvmsg) and evt.dir=< and
        fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
      (fd.typechar = 4 or fd.typechar = 6) and
@@ -345,7 +345,7 @@
 # for efficiency.
 - macro: inbound_outbound
   condition: >
-    ((((evt.type in (accept,listen,connect) and evt.dir=<)) and
+    ((((evt.type in (accept,accept4,listen,connect) and evt.dir=<)) and
      (fd.typechar = 4 or fd.typechar = 6)) and
      (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
      (evt.rawres >= 0 or evt.res = EINPROGRESS))