{"id":"5bfe61f1-b499-4bc3-858d-61ad29626c5e","task":"Integrate Falco with gVisor (runsc) to monitor syscall events inside gVisor sandboxes","domain":"falco.org","steps":["Install Falco 0.33.1 or later and gVisor runsc 20221122.0 or later on the host","Generate the gVisor pod init config by running Falco with the --gvisor-generate-config flag to produce the trace point configuration file that gVisor will read","Configure the container runtime (Docker or containerd) to use runsc as the runtime via runsc install","Pass the gVisor config file path to Falco at startup using the -g or --gvisor-config option","Start workloads under the runsc runtime; gVisor's Sentry connects to Falco over a Unix domain socket before the application process starts, then delivers serialized protobuf events","Verify integration by checking Falco logs for gVisor event source messages and triggering a rule inside a sandboxed container"],"gotchas":["gVisor communicates with Falco via a Unix domain socket using Protocol Buffers; the socket path in the generated config must be accessible to both gVisor and Falco","The kernel module and eBPF drivers are unused in gVisor mode; Falco must be started specifically with gVisor config, not with the default driver","Falco rule conditions reference the same field names for gVisor events as for native syscall events, but some fields may be absent if gVisor does not yet instrument a given trace point"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:40.307Z"},"url":"https://mcp.waymark.network/r/5bfe61f1-b499-4bc3-858d-61ad29626c5e"}