Federico Di Pierro
Federico Di Pierro
Oh you are right, `thread.cap_permitted` is extracting for the `tid=1`! Ops so we are left with a single bug: * the tid sent within the container event is not correct...
I opened https://github.com/falcosecurity/rules/pull/295 to fix this issue. Basically, we should not use the `container` metaevent (that is just an internal notification event) in rules. I tested with Falco 0.41.0 and...
Hi! Sorry for the late response :) That's weird because we tested the rule before opening the rules PR; i just checked once again: ``` docker run -ti --rm --cap-add...
Oh i saw in the logs: > Mon Jun 16 11:53:58 2025: [libs]: container: the plugin has no info for the container id '532a890057b2' It seems like the container was...
Given the Falco config you shared, i assume `/run/crio/crio.sock` is the only active socket, right? The old container_engines config block had multiple sockets for `cri` engine: ``` cri: disable_async: false...
> The only remaining question would be why the fallback logic does not work. If we can somehow provide any more data, we are happy to do so. However with...
Wow man, just wow! Thank you very much for the detailed bug hunting, it's really astonishing! So, let me go point by point: 1. `podman` is doing the very same...
> delayed success: the error path usually is either instant on configuration error or slightly delayed in case of a connection timeout - but the success path takes a time...
@nenioscio i will ping you in another container plugin PR soon :) if you can give me a review it'll be really appreciated!
Here it is: https://github.com/falcosecurity/plugins/pull/908