tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

cmd/tracee-ebpf: add capabilities dropping bypasses

Open AlonZivony opened this issue 2 years ago • 5 comments

Initial Checklist

  • [x] There is an issue describing the need for this PR.
  • [x] Git log contains summary of the change.
  • [x] Git log contains motivation and context of the change.
  • [ ] If part of an EPIC, PR git log contains EPIC number.
  • [ ] If part of an EPIC, PR was added to EPIC description.

Description (git log)

Add options to bypass capabilities dropping partly or entirely in tracee-ebpf. This will help to solve locally capabilities issues for developers or users which face capabilities bug.

Fixes: #1996

Type of change

  • [ ] Bug fix (non-breaking change fixing an issue, preferable).
  • [ ] Quick fix (minor non-breaking change requiring no issue, use with care)
  • [x] Code refactor (code improvement and/or code removal)
  • [x] New feature (non-breaking change adding functionality).
  • [ ] Breaking change (cause existing functionality not to work as expected).

Final Checklist:

Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

  • [x] I have made corresponding changes to the documentation.
  • [x] My code follows the style guidelines (C and Go) of this project.
  • [x] I have performed a self-review of my own code.
  • [x] I have commented all functions/methods created explaining what they do.
  • [x] I have commented my code, particularly in hard-to-understand areas.
  • [x] My changes generate no new warnings.
  • [x] I have added tests that prove my fix, or feature, is effective.
  • [x] New and existing unit tests pass locally with my changes.
  • [x] Any dependent changes have been merged and published before.

Git Log Checklist:

My commits logs have:

  • [x] Subject starts with "subsystem|file: description".
  • [x] Do not end the subject line with a period.
  • [x] Limit the subject line to 50 characters.
  • [x] Separate subject from body with a blank line.
  • [x] Use the imperative mood in the subject line.
  • [x] Wrap the body at 72 characters.
  • [x] Use the body to explain what and why instead of how.

AlonZivony avatar Jul 24 '22 13:07 AlonZivony

So I did some testing, found two UX improvements/possibly bugs that I think should be addressed:

  1. --caps add <cap_name> doesn't work, neither does --caps add=<cap_name>
  2. With correct usage (--caps <cap_name>) - giving a non real cap name (tried with CAP_FAKE) doesn't return any error, instead continuing execution, I think that's bad UX for a user for example if a typo is made.

Was this also addressed? If so I can check and approve.

NDStrahilevitz avatar Jul 28 '22 11:07 NDStrahilevitz

Please rebase this so all matrix tests can run.

NDStrahilevitz avatar Jul 28 '22 13:07 NDStrahilevitz

@AlonZivony I believe https://github.com/aquasecurity/tracee/pull/2033 should be merged first and then you rebase (as that one is simpler) and then once this one is good we merge this one.

rafaeldtinoco avatar Aug 02 '22 03:08 rafaeldtinoco

@AlonZivony I believe #2033 should be merged first and then you rebase (as that one is simpler) and then once this one is good we merge this one.

Np, but we want it to enter to the coming sub-release so it depends if this PR will enter soon or not too.

AlonZivony avatar Aug 02 '22 08:08 AlonZivony

NOTE: We're waiting 0.8.1 release first before merging this one.

rafaeldtinoco avatar Aug 03 '22 03:08 rafaeldtinoco

We're into 0.8.2 cycle so this can be merged. @yanivagman or @rafaeldtinoco do you want to go over first?

NDStrahilevitz avatar Aug 14 '22 13:08 NDStrahilevitz