pkg/ebpf/tracee: fix capabilities for procfs reads #2406

rafaeldtinoco · 2022-11-29T16:00:14Z

Last merge had wrong permissions and there are still errors reading procfs when dropping capabilities. This commit fixes the issue.

yanivagman

LGTM

geyslan

Tested with:

sudo TRACEE_LOGGER_LVL=debug ./dist/tracee-ebpf --install-path /tmp/tracee --cache cache-type=mem --cache mem-cache-size=512 --output none --output option:parse-arguments --output option:detect-syscall --containers --trace event=openat --capabilities bypass=false &> output

❯ grep ' cap' ./output 
{"level":"debug","ts":1669738552.548426,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_ptrace"}
{"level":"debug","ts":1669738552.5484693,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_dac_read_search"}
{"level":"debug","ts":1669738552.744597,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_bpf"}
{"level":"debug","ts":1669738552.7446027,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_ipc_lock"}
{"level":"debug","ts":1669738552.7446058,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_resource"}
{"level":"debug","ts":1669738552.7446105,"msg":"e
8000
nabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_perfmon"}
{"level":"debug","ts":1669738553.1344943,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_ptrace"}
{"level":"debug","ts":1669738553.1345005,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_dac_read_search"}
{"level":"debug","ts":1669738555.8535562,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_perfmon"}
{"level":"debug","ts":1669738555.8535662,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_bpf"}
{"level":"debug","ts":1669738555.8535728,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_ipc_lock"}
{"level":"debug","ts":1669738555.8535783,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_resource"}

yanivagman · 2022-11-29T16:34:43Z

Tested with:

sudo TRACEE_LOGGER_LVL=debug ./dist/tracee-ebpf --install-path /tmp/tracee --cache cache-type=mem --cache mem-cache-size=512 --output none --output option:parse-arguments --output option:detect-syscall --containers --trace event=openat --capabilities bypass=false &> output

❯ grep ' cap' ./output 
{"level":"debug","ts":1669738552.548426,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_ptrace"}
{"level":"debug","ts":1669738552.5484693,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_dac_read_search"}
{"level":"debug","ts":1669738552.744597,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_bpf"}
{"level":"debug","ts":1669738552.7446027,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_ipc_lock"}
{"level":"debug","ts":1669738552.7446058,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_resource"}
{"level":"debug","ts":1669738552.7446105,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_perfmon"}
{"level":"debug","ts":1669738553.1344943,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_ptrace"}
{"level":"debug","ts":1669738553.1345005,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_dac_read_search"}
{"level":"debug","ts":1669738555.8535562,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_perfmon"}
{"level":"debug","ts":1669738555.8535662,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_bpf"}
{"level":"debug","ts":1669738555.8535728,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_ipc_lock"}
{"level":"debug","ts":1669738555.8535783,"msg":"enabling cap","pkg":"capabilities","file":"capabilities.go","line":310,"cap":"cap_sys_resource"}

Nice! I like this new logger

pkg/ebpf/tracee: fix capabilities for procfs reads

b66d991

Last merge had wrong permissions and there are still errors reading procfs when dropping capabilities. This commit fixes the issue.

yanivagman approved these changes Nov 29, 2022

View reviewed changes

geyslan approved these changes Nov 29, 2022

View reviewed changes

rafaeldtinoco merged commit 711e9e9 into aquasecurity:main Nov 29, 2022

rafaeldtinoco deleted the fix-caps branch November 29, 2022 16:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

pkg/ebpf/tracee: fix capabilities for procfs reads #2406

pkg/ebpf/tracee: fix capabilities for procfs reads #2406

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

pkg/ebpf/tracee: fix capabilities for procfs reads #2406

pkg/ebpf/tracee: fix capabilities for procfs reads #2406

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!