diff --git a/daemon/rule/operator.go b/daemon/rule/operator.go index 2fe7c629e8..ba694db847 100644 --- a/daemon/rule/operator.go +++ b/daemon/rule/operator.go @@ -41,6 +41,7 @@ const ( OpProcessID = Operand("process.id") OpProcessPath = Operand("process.path") OpProcessParentPath = Operand("process.parent.path") + OpProcessParentCmd = Operand("process.parent.command") OpProcessCmd = Operand("process.command") OpProcessEnvPrefix = Operand("process.env.") OpProcessEnvPrefixLen = 12 @@ -336,6 +337,23 @@ func (o *Operator) Match(con *conman.Connection, hasChecksums bool) bool { return o.listMatch(con, hasChecksums) } else if o.Operand == OpProcessPath { return o.cb(con.Process.Path) + } else if o.Operand == OpProcessParentPath { + p := con.Process + for pp := p.Parent; pp != nil; pp = pp.Parent { + if o.cb(pp.Path) { + return true + } + } + return false + } else if o.Operand == OpProcessParentCmd { + p := con.Process + for pp := p.Parent; pp != nil; pp = pp.Parent { + pp.ReadCmdline() + if o.cb(strings.Join(pp.Args, " ")) { + return true + } + } + return false } else if o.Operand == OpProcessCmd { return o.cb(strings.Join(con.Process.Args, " ")) } else if o.Operand == OpDstHost {