capabilities: raise caps for init_namespaces event

yanivagman · rafaeldtinoco · commit 02804d8b55a8 · 2022-10-24T18:27:46.000-03:00
The init_namespaces event requires SYS_PTRACE to function correctly.
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -1399,8 +1399,11 @@ func (t *Tracee) updateFileSHA() {
 
 func (t *Tracee) invokeInitEvents() {
 	if t.events[events.InitNamespaces].emit {
-		systemInfoEvent := events.InitNamespacesEvent()
-		t.config.ChanEvents <- systemInfoEvent
+		t.capabilities.Requested(func() error { // ring2
+			systemInfoEvent := events.InitNamespacesEvent()
+			t.config.ChanEvents <- systemInfoEvent
+			return nil
+		}, cap.SYS_PTRACE)
 		t.stats.EventCount.Increment()
 	}
 	if t.events[events.ExistingContainer].emit {
