Drop unrequired capabilities upon startup

EBWi11 · Jun 6, 2022 · bf0600a · bf0600a
1 parent 36a9acc
commit bf0600a
Show file tree

Hide file tree

Showing 5 changed files with 151 additions and 10 deletions.
diff --git a/cmd/tracee-ebpf/main.go b/cmd/tracee-ebpf/main.go
@@ -144,6 +144,13 @@ func main() {
 			}
 			cfg.Output = &output
 
+			// environment capabilities
+
+			err = ensureCapabilities(OSInfo)
+			if err != nil {
+				return err
+			}
+
 			// kernel lockdown check
 			lockdown, err := helpers.Lockdown()
 			if err == nil && lockdown == helpers.CONFIDENTIALITY {
@@ -153,15 +160,6 @@ func main() {
 				fmt.Fprintf(os.Stdout, "OSInfo: Security Lockdown is '%v'\n", lockdown)
 			}
 
-			// environment capabilities
-			selfCap, err := capabilities.Self()
-			if err != nil {
-				return err
-			}
-			if err = capabilities.CheckRequired(selfCap, []capability.Cap{capability.CAP_IPC_LOCK, capability.CAP_SYS_ADMIN}); err != nil {
-				return err
-			}
-
 			enabled, err := helpers.FtraceEnabled()
 			if err != nil {
 				return err
@@ -505,6 +503,51 @@ func checkCommandIsHelp(s []string) bool {
 	return false
 }
 
+const bpfCapabilitiesMinKernelVersion = "5.8"
+
+// ensureCapabilities makes sure the program has just the required capabilities to run
+func ensureCapabilities(OSInfo *helpers.OSInfo) error {
+	selfCap, err := capabilities.Self()
+	if err != nil {
+		return err
+	}
+
+	// Build the set of capabilities required to run
+	rCaps := []capability.Cap{
+		capability.CAP_IPC_LOCK,
+		capability.CAP_SYS_PTRACE,
+		capability.CAP_SYS_RESOURCE,
+		capability.CAP_NET_ADMIN,
+	}
+	if OSInfo.CompareOSBaseKernelRelease(bpfCapabilitiesMinKernelVersion) <= 0 {
+		bpfCaps := []capability.Cap{
+			capability.CAP_BPF,
+			capability.CAP_PERFMON,
+		}
+		if err1 := capabilities.CheckRequired(selfCap, bpfCaps); err1 != nil {
+			bpfCaps = []capability.Cap{
+				capability.CAP_SYS_ADMIN,
+			}
+			if err2 := capabilities.CheckRequired(selfCap, bpfCaps); err2 != nil {
+				return fmt.Errorf("missing capabilites required for eBPF program loading - either CAP_BPF + CAP_PERFMON or CAP_SYS_ADMIN")
+			}
+		}
+		rCaps = append(rCaps, bpfCaps...)
+	} else {
+		rCaps = append(rCaps, []capability.Cap{
+			capability.CAP_SYS_ADMIN,
+		}...)
+	}
+
+	if err = capabilities.CheckRequired(selfCap, rCaps); err != nil {
+		return err
+	}
+	if err = capabilities.DropUnrequired(selfCap, rCaps); err != nil {
+		return err
+	}
+	return nil
+}
+
 func getFormattedEventParams(eventID int32) string {
 	eventParams := tracee.EventsDefinitions[eventID].Params
 	var verboseEventParams string

diff --git a/cmd/tracee-rules/main.go b/cmd/tracee-rules/main.go
@@ -13,11 +13,13 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/aquasecurity/tracee/pkg/capabilities"
 	"github.com/aquasecurity/tracee/pkg/rules/engine"
 	"github.com/aquasecurity/tracee/pkg/rules/metrics"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/open-policy-agent/opa/compile"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/syndtr/gocapability/capability"
 	"github.com/urfave/cli/v2"
 )
 
@@ -32,6 +34,10 @@ func main() {
 		Name:  "tracee-rules",
 		Usage: "A rule engine for Runtime Security",
 		Action: func(c *cli.Context) error {
+			err := dropCapabilities()
+			if err != nil {
+				return err
+			}
 
 			if c.NumFlags() == 0 {
 				cli.ShowAppHelp(c)
@@ -267,3 +273,18 @@ func sigHandler() chan bool {
 	}()
 	return done
 }
+
+// dropCapabilities drop all capabilities from the process
+// The function also tries to drop the capabilities bounding set, but it won't work if CAP_SETPCAP is not available.
+func dropCapabilities() error {
+	selfCaps, err := capabilities.Self()
+	if err != nil {
+		return err
+	}
+
+	err = capabilities.DropUnrequired(selfCaps, []capability.Cap{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/docs/install/prerequisites.md b/docs/install/prerequisites.md
@@ -29,6 +29,9 @@ capabilities:
 * Load and Attach eBPF programs:
     1. `CAP_BPF`+`CAP_PERFMON` for recent kernels (>=5.8)
     2. or `CAP_SYS_ADMIN` for older kernels
+* `CAP_SYS_PTRACE` (to collect information about processes upon startup)
+* `CAP_NET_ADMIN` (to use tc for packets capture)
+* `CAP_SETPCAP` (if given - used to reduce bounding set capabilities)
 * `CAP_SYSLOG` (to access kernel symbols through /proc/kallsyms)
 * On some environments (e.g. Ubuntu) `CAP_IPC_LOCK` might be required as well.
 

diff --git a/pkg/capabilities/capabilities.go b/pkg/capabilities/capabilities.go
@@ -34,3 +34,17 @@ func Self() (capability.Capabilities, error) {
 	}
 	return selfCap, nil
 }
+
+// DropUnrequired requires that all capabilities are already set or available in permitted set.
+// The function also tries to drop the capabilities bounding set, but it won't work if CAP_SETPCAP is not available.
+func DropUnrequired(selfCaps capability.Capabilities, reqCaps []capability.Cap) error {
+	selfCaps.Clear(capability.CAPS)
+	for _, rc := range reqCaps {
+		selfCaps.Set(capability.CAPS, rc)
+	}
+	err := selfCaps.Apply(capability.CAPS | capability.BOUNDS)
+	if err != nil {
+		return fmt.Errorf("couldn't drop capabilities: %v", err)
+	}
+	return nil
+}
diff --git a/pkg/capabilities/capabilities_test.go b/pkg/capabilities/capabilities_test.go
@@ -14,6 +14,9 @@ type fakeCapability struct {
 
 	newpid2 func(int) (capability.Capabilities, error)
 	get     func(capability.CapType, capability.Cap) bool
+	set     func(capability.CapType, ...capability.Cap)
+	apply   func(capability.CapType) error
+	clear   func(capability.CapType)
 	load    func() error
 }
 
@@ -24,6 +27,25 @@ func (f fakeCapability) Get(which capability.CapType, what capability.Cap) bool
 	return true
 }
 
+func (f fakeCapability) Set(which capability.CapType, caps ...capability.Cap) {
+	if f.set != nil {
+		f.set(which, caps...)
+	}
+}
+
+func (f fakeCapability) Apply(kind capability.CapType) error {
+	if f.apply != nil {
+		return f.apply(kind)
+	}
+	return nil
+}
+
+func (f fakeCapability) Clear(kind capability.CapType) {
+	if f.clear != nil {
+		f.clear(kind)
+	}
+}
+
 func (f fakeCapability) Load() error {
 	if f.load != nil {
 		return f.load()
@@ -40,7 +62,7 @@ func (f fakeCapability) NewPid2(pid int) (capability.Capabilities, error) {
 
 func TestCheckRequiredCapabilities(t *testing.T) {
 	t.Run("happy path", func(t *testing.T) {
-		require.NoError(t, CheckRequired(fakeCapability{}, []capability.Cap{capability.CAP_SYS_ADMIN, capability.CAP_IPC_LOCK}))
+		require.NoError(t, CheckRequired(fakeCapability{}, []capability.Cap{capability.CAP_SYS_ADMIN, capability.CAP_IPC_LOCK, capability.CAP_SYS_PTRACE}))
 	})
 
 	t.Run("missing CAP_SYS_ADMIN", func(t *testing.T) {
@@ -106,3 +128,41 @@ func TestLoadSelfCapabilities(t *testing.T) {
 		require.Nil(t, sc)
 	})
 }
+
+func TestDropUnrequired(t *testing.T) {
+	requiredCaps := []capability.Cap{capability.CAP_SYS_ADMIN, capability.CAP_IPC_LOCK, capability.CAP_SYS_PTRACE, capability.CAP_SYS_RESOURCE}
+	t.Run("happy path", func(t *testing.T) {
+		var setCaps []capability.Cap
+		fc := fakeCapability{
+			set: func(capType capability.CapType, caps ...capability.Cap) {
+				for _, c := range caps {
+					setCaps = append(setCaps, c)
+				}
+			},
+			apply: func(kind capability.CapType) error {
+				for _, reqCap := range requiredCaps {
+					isFound := false
+					for _, setCap := range setCaps {
+						if reqCap == setCap {
+							isFound = true
+							break
+						}
+					}
+					if isFound == false {
+						return fmt.Errorf("capability %s was not set but was required", reqCap)
+					}
+				}
+				return nil
+			},
+		}
+		require.NoError(t, DropUnrequired(fc, requiredCaps))
+	})
+	t.Run("apply error invoked", func(t *testing.T) {
+		fc := fakeCapability{
+			apply: func(kind capability.CapType) error {
+				return fmt.Errorf("error in apply")
+			},
+		}
+		require.Error(t, DropUnrequired(fc, requiredCaps))
+	})
+}