capabilities: make new capabilities a singleton

This allows any package to raise their capabilities.

Author: rafaeldtinoco

cmd/tracee-rules/main.go

@@ -51,7 +51,7 @@ func main() {
 
 			// Capabilities command line flags
 
-			_, err := capabilities.NewCapabilities(c.Bool("allcaps"))
+			err := capabilities.NewCapabilities(c.Bool("allcaps"))
 			if err != nil {
 				return err
 			}

pkg/capabilities/capabilities.go

@@ -11,7 +11,7 @@ import (
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
-var initialized bool
+var Caps Capabilities // singleton for all packages
 
 const pkgName = "capabilities"
 
@@ -31,28 +31,27 @@ const (
 )
 
 type Capabilities struct {
-	have   *cap.Set
-	all    map[cap.Value]map[ringType]bool
-	bypass bool
-	lock   *sync.Mutex // big lock to guarantee all threads are on the same ring
+	have        *cap.Set
+	all         map[cap.Value]map[ringType]bool
+	bypass      bool
+	initialized bool
+	lock        *sync.Mutex // big lock to guarantee all threads are on the same ring
 }
 
-func NewCapabilities(bypass bool) (*Capabilities, error) {
-	c := &Capabilities{}
-	err := c.initialize(bypass)
-	return c, err
+func NewCapabilities(bypass bool) error {
+	Caps = Capabilities{}
+	return Caps.initialize(bypass)
 }
 
 func (c *Capabilities) initialize(bypass bool) error {
 	if bypass {
 		c.bypass = true
 		return nil
 	}
-	if initialized {
-		return noConcurrentCapablities()
+	if c.initialized {
+		return alreadyInitialized()
 	}
 
-	initialized = true
 	c.lock = new(sync.Mutex)
 	c.all = make(map[cap.Value]map[ringType]bool)
 
@@ -316,10 +315,6 @@ func couldNotReadPerfEventParanoid() error {
 	return fmt.Errorf("could not read procfs perf_event_paranoid")
 }
 
-func noConcurrentCapablities() error {
-	return fmt.Errorf("can't have concurrent capabilities")
-}
-
 func couldNotSetProc(e error) error {
 	return fmt.Errorf("could not set capabilities: %v", e)
 }
@@ -328,6 +323,10 @@ func couldNotGetProc(e error) error {
 	return fmt.Errorf("could not get capabilities: %v", e)
 }
 
+func alreadyInitialized() error {
+	return fmt.Errorf("capabilities were already initialized")
+}
+
 //
 // Standalone Functions
 //

pkg/ebpf/events_processor.go

@@ -6,6 +6,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/aquasecurity/tracee/pkg/capabilities"
 	"github.com/aquasecurity/tracee/pkg/utils"
 
 	"github.com/aquasecurity/tracee/pkg/bufferdecoder"
@@ -148,7 +149,7 @@ func (t *Tracee) processEvent(event *trace.Event) error {
 					if !ok || lastCtime != castedSourceFileCtime {
 
 						// capture (ring1)
-						err = t.capabilities.Required(func() error {
+						err = capabilities.Caps.Required(func() error {
 							return utils.CopyRegularFileByRelativePath(
 								sourceFilePath,
 								t.outDir,
@@ -177,7 +178,7 @@ func (t *Tracee) processEvent(event *trace.Event) error {
 					} else {
 
 						// ring1
-						t.capabilities.Required(func() error {
+						capabilities.Caps.Required(func() error {
 							currentHash, err = computeFileHashAtPath(sourceFilePath)
 							if err == nil {
 								hashInfoObj = fileExecInfo{castedSourceFileCtime, currentHash}

pkg/ebpf/tracee.go

@@ -197,7 +197,6 @@ type Tracee struct {
 	triggerContexts   trigger.Context
 	running           bool
 	outDir            *os.File // All file operations to output dir should be through the utils package file operations (like utils.OpenAt) using this directory file.
-	capabilities      *capabilities.Capabilities
 }
 
 func (t *Tracee) Stats() *metrics.Stats {
@@ -276,7 +275,7 @@ func New(cfg Config) (*Tracee, error) {
 	}
 
 	// Start capabilities rings
-	t.capabilities, err = capabilities.NewCapabilities(t.config.Capabilities.BypassCaps)
+	err = capabilities.NewCapabilities(t.config.Capabilities.BypassCaps)
 	if err != nil {
 		return t, err
 	}
@@ -304,7 +303,7 @@ func New(cfg Config) (*Tracee, error) {
 			return t, fmt.Errorf("could not get event")
 		}
 		for _, capArray := range evt.Dependencies.Capabilities {
-			t.capabilities.Require(capArray)
+			capabilities.Caps.Require(capArray)
 		}
 	}
 
@@ -314,7 +313,7 @@ func New(cfg Config) (*Tracee, error) {
 	if err != nil {
 		return t, err
 	}
-	err = t.capabilities.Require(capsToAdd...)
+	err = capabilities.Caps.Require(capsToAdd...)
 	if err != nil {
 		return t, err
 	}
@@ -323,7 +322,7 @@ func New(cfg Config) (*Tracee, error) {
 	if err != nil {
 		return t, err
 	}
-	err = t.capabilities.Unrequire(capsToDrop...)
+	err = capabilities.Caps.Unrequire(capsToDrop...)
 	if err != nil {
 		return t, err
 	}
@@ -377,7 +376,7 @@ func (t *Tracee) Init() error {
 	// Init kernel symbols map
 
 	if initReq.kallsyms {
-		err = t.capabilities.Requested(func() error { // ring2
+		err = capabilities.Caps.Requested(func() error { // ring2
 
 			t.kernelSymbols, err = helpers.NewKernelSymbolsMap()
 			if err != nil {
@@ -405,7 +404,7 @@ func (t *Tracee) Init() error {
 
 	// Initialize containers enrichment logic
 
-	t.capabilities.Requested(func() error { // TODO: workaround until PR: #2233 is in place
+	capabilities.Caps.Requested(func() error { // TODO: workaround until PR: #2233 is in place
 
 		t.containers, err = containers.New(t.config.Sockets, "containers_map", t.config.Debug)
 		if err != nil {
@@ -1159,7 +1158,7 @@ func (t *Tracee) initBPF() error {
 
 	// Execute code with higher privileges: ring1 (required)
 
-	err = t.capabilities.Required(func() error {
+	err = capabilities.Caps.Required(func() error {
 
 		// Load the eBPF object into kernel
 
@@ -1326,7 +1325,7 @@ func (t *Tracee) Run(ctx gocontext.Context) error {
 
 // Close cleans up created resources
 func (t *Tracee) Close() {
-	err := t.capabilities.Required(func() error { // ring1
+	err := capabilities.Caps.Required(func() error { // ring1
 
 		if t.probes != nil {
 			err := t.probes.DetachAll()
@@ -1399,7 +1398,7 @@ func (t *Tracee) updateFileSHA() {
 
 func (t *Tracee) invokeInitEvents() {
 	if t.events[events.InitNamespaces].emit {
-		t.capabilities.Requested(func() error { // ring2
+		capabilities.Caps.Requested(func() error { // ring2
 			systemInfoEvent := events.InitNamespacesEvent()
 			t.config.ChanEvents <- systemInfoEvent
 			return nil
@@ -1483,7 +1482,7 @@ func (t *Tracee) triggerSeqOpsIntegrityCheckCall(
 }
 
 func (t *Tracee) updateKallsyms() error {
-	return t.capabilities.Requested(func() error { // ring2
+	return capabilities.Caps.Requested(func() error { // ring2
 
 		kernelSymbols, err := helpers.NewKernelSymbolsMap()
 		if err != nil {