diff --git a/events/syscall/launch_package_management_process_in_container.go b/events/syscall/launch_package_management_process_in_container.go index fc6aad38..be6ea9ce 100644 --- a/events/syscall/launch_package_management_process_in_container.go +++ b/events/syscall/launch_package_management_process_in_container.go @@ -15,6 +15,9 @@ limitations under the License. package syscall import ( + "os" + "os/exec" + "github.com/falcosecurity/event-generator/events" ) @@ -26,7 +29,21 @@ var _ = events.Register( func LaunchPackageManagementProcessInContainer(h events.Helper) error { // Make sure it runs in container and user.name != _apt if h.InContainer() { - return runAsUser(h, "root", "apt-get") + if os.Getenv("USER") == "_apt" { + // Create a new user + username := "user-created-by-event-generator" + err := exec.Command("adduser", username).Run() + if err != nil { + return err + } + err = exec.Command("su", username).Run() + if err != nil { + return err + } + } + // Now launch package management process + cmd := exec.Command("apt-get") + return cmd.Run() } return nil } diff --git a/script.sh b/script.sh new file mode 100755 index 00000000..6857901e --- /dev/null +++ b/script.sh @@ -0,0 +1,2 @@ +#!/bin/bash + echo "Hello, world!" \ No newline at end of file