From d869ff21977c4f5673e3360a294e16a96f349d6b Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Sat, 29 Oct 2022 11:53:05 -0400
Subject: [PATCH] empty environ: add exception for bwrap

---
 detection/evasion/empty_environ_linux.sql | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/detection/evasion/empty_environ_linux.sql b/detection/evasion/empty_environ_linux.sql
index 8234718..f4cf915 100644
--- a/detection/evasion/empty_environ_linux.sql
+++ b/detection/evasion/empty_environ_linux.sql
@@ -27,7 +27,10 @@ WHERE -- This time should match the interval
   AND p.start_time < (strftime('%s', 'now') - 5)
   -- This pattern is common with kthreadd processes
   AND p.parent != 2
-  AND p.path != '/usr/bin/gpg-agent'
+  AND p.path NOT IN (
+    '/usr/bin/gpg-agent',
+    '/usr/bin/bwrap'
+  )
 GROUP BY
   p.pid
 HAVING