From af07ef988882628e33f7f1e6a700bd48c6612b34 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 22 Feb 2024 11:48:53 -0500
Subject: [PATCH] Ignore taint code 4096 (out-of-tree driver)

---
 detection/evasion/unusually-tainted-kernel-linux.sql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection/evasion/unusually-tainted-kernel-linux.sql b/detection/evasion/unusually-tainted-kernel-linux.sql
index c0a82cc..f7dae10 100644
--- a/detection/evasion/unusually-tainted-kernel-linux.sql
+++ b/detection/evasion/unusually-tainted-kernel-linux.sql
@@ -37,10 +37,11 @@ FROM
     ORDER BY
       km.name ASC
   )
+  -- 4096 is a signed, out of tree, open source driver
   -- 4097 is a signed, out of tree, proprietary driver
   -- 512 is a kernel warning
 WHERE
-  taint NOT IN (0, 512, 4097)
+  taint NOT IN (0, 512, 4096, 4097)
   AND NOT (
     (
       -- 12289 is an unsigned, out of tree, proprietary