From 01c9d8ba313d5bcd202ed1e9ddc0ba964c689e33 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@gmail.com>
Date: Thu, 30 Jan 2020 17:08:00 -0800
Subject: [PATCH] Let runc write to /exec.fifo

Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
https://github.com/opencontainers/runc/pull/1698

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
---
 rules/falco_rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 97d8edea9b1..6dcf7513219 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1353,6 +1353,9 @@
 - macro: user_known_write_below_root_activities
   condition: (never_true)
 
+- macro: runc_writing_exec_fifo
+  condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)
+
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
   condition: >
@@ -1372,6 +1375,7 @@
     and not galley_writing_state
     and not calico_writing_state
     and not rancher_writing_root
+    and not runc_writing_exec_fifo
     and not known_root_conditions
     and not user_known_write_root_conditions
     and not user_known_write_below_root_activities