Can mistakenly append to a base rule from a rule with a different source. #3382
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
There is a bug in rule loading where a second rule definition with a different source and append: true is mistakenly being combined with the original rule instead of reporting an error.
How to reproduce it
Put this content in a file
invalid_append.yamland try to validate it with falco usingfalco -V ./invalid_append.yaml. You need to enable the k8saudit plugin.You get this validation error. Note that the second rule condition is appended to the first rule when it should not:
Expected behaviour
Instead, the rule loader should return the same error that you get when defining a rule again with a different source "Rule has been re-defined with a different source".
Screenshots
Environment
0.39.0
{
"machine": "x86_64",
"nodename": "mstemm-ubuntu-2004",
"release": "5.15.0-113-generic",
"sysname": "Linux",
"version": "Fix lua stack leak. #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024"
}
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Linux mstemm-ubuntu-2004 5.15.0-113-generic Fix lua stack leak. #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
DEB
Additional context
The text was updated successfully, but these errors were encountered: