new(rules): add umount macro #45
Conversation
Signed-off-by: incertum <[email protected]>
rules/falco_rules.yaml
Outdated
| @@ -74,6 +74,11 @@ | |||
| - macro: modify | |||
| condition: (rename or remove) | |||
|
|
|||
| # %evt.arg.flags available for evt.dir=>, but only for umount2 | |||
| # %evt.arg.name is path and available for evt.dir=< | |||
| - macro: umount | |||
There was a problem hiding this comment.
is this for an upcoming rule or for addressing falcosecurity/falco#2443 (comment)? in that case, do we want macros also for the other involved event types (e.g pipe,pipe2) already put in place?
|
My only concern of adding macros that are not used in rules is that Falco will return the "XXX macro is not used" warning when processing the ruleset for validation. |
|
Agree with Jason here, we could comment it and leave it as a hint for users, WDYT? |
keep in rules as hint for end users Co-authored-by: Jason Dellaluce <[email protected]> Co-authored-by: Andrea Terzolo <[email protected]> Signed-off-by: incertum <[email protected]>
|
LGTM label has been added. Git tree hash: 3a51bc6d2713a4f4e3c9b15672497070d5fe086f
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum, jasondellaluce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
add new
umountmacroWhich issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: