Skip to content

Commit

Permalink
drop capabilities during compilation
Browse files Browse the repository at this point in the history
  • Loading branch information
@itaysk @yanivagman
itaysk authored and yanivagman committed Nov 11, 2020
1 parent 3b80e0f commit fbf395a
Showing 1 changed file with 32 additions and 12 deletions.
44 changes: 32 additions & 12 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,9 @@ func main() {
return err
}
cfg.BPFObjPath = bpfFile
if !checkRequiredCapabilities() {
return fmt.Errorf("Insufficient privileges to run")
}
t, err := tracee.New(cfg)
if err != nil {
// t is being closed internally
Expand Down Expand Up @@ -194,9 +197,6 @@ func main() {
},
}

if !isCapable() {
log.Fatal("Not enough privileges to run this program")
}
err := app.Run(os.Args)
if err != nil {
log.Fatal(err)
Expand Down Expand Up @@ -311,19 +311,24 @@ func prepareEventsToTrace(eventsToTrace []string, setsToTrace []string, excludeE
return res, nil
}

func isCapable() bool {
c, err := capability.NewPid2(0)
func checkRequiredCapabilities() bool {
caps, err := getSelfCapabilities()
if err != nil {
fmt.Println("Current user capabilities could not be retrieved. Assure running with enough privileges")
return true
return false
}
err = c.Load()
return caps.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN)
}

func getSelfCapabilities() (capability.Capabilities, error) {
cap, err := capability.NewPid2(0)
if err != nil {
fmt.Println("Current user capabilities could not be retrieved. Assure running with enough privileges")
return true
return nil, err
}

return c.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN)
err = cap.Load()
if err != nil {
return nil, err
}
return cap, nil
}

func printList() {
Expand Down Expand Up @@ -452,6 +457,21 @@ func unpackBPFBundle(dir string) error {

// makeBPFObject builds the ebpf object from source code into the provided path
func makeBPFObject(outFile string) error {
// drop capabilities for the compilation process
cap, err := getSelfCapabilities()
if err != nil {
return err
}
capNew, err := capability.NewPid2(0)
if err != err {
return err
}
capNew.Clear(capability.BOUNDS)
err = capNew.Apply(capability.BOUNDS)
if err != err {
return err
}
defer cap.Apply(capability.BOUNDS)
dir, err := ioutil.TempDir("", "tracee-make")
if err != nil {
return err
Expand Down

0 comments on commit fbf395a

Please sign in to comment.