From 180efa23e0cc4ec341616181e8a6827b3dc7eefd Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 4 Nov 2022 09:57:41 -0400
Subject: [PATCH] Add karabiner_session_monitor exception

---
 detection/privesc/unexpected-setxid-process.sql | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql
index 33ab427..6281f4e 100644
--- a/detection/privesc/unexpected-setxid-process.sql
+++ b/detection/privesc/unexpected-setxid-process.sql
@@ -25,21 +25,22 @@ FROM
 WHERE
   f.mode NOT LIKE '0%'
   AND f.path NOT IN (
+    '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
     '/bin/ps',
+    '/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
     '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
     '/opt/1Password/1Password-BrowserSupport',
     '/opt/1Password/1Password-KeyringHelper',
     '/usr/bin/doas',
-    '/usr/lib/xf86-video-intel-backlight-helper',
-    '/usr/bin/mount',
     '/usr/bin/fusermount',
     '/usr/bin/fusermount3',
-    '/usr/sbin/traceroute',
     '/usr/bin/login',
+    '/usr/bin/mount',
     '/usr/bin/ssh-agent',
     '/usr/bin/su',
-    '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
     '/usr/bin/sudo',
     '/usr/bin/top',
-    '/usr/lib/Xorg.wrap'
+    '/usr/lib/xf86-video-intel-backlight-helper',
+    '/usr/lib/Xorg.wrap',
+    '/usr/sbin/traceroute'
   );