capabilities: do not drop caps by default

- do not drop capabilities by default (allows bypass)
- return reference instead of new instance (fix)
- add "get instance" logic to singleton
- allow dropping capabilities for testing purposes

example to enable capabilities drop:

  ... --capabilities bypass=false \
      --capabilities add=cap_xxx,cap_yyy \
      --capabilities drop=cap_aaa,cap_bbb

Author: rafaeldtinoco

cmd/tracee-ebpf/flags/capabilities.go

@@ -26,19 +26,15 @@ Available capabilities:
 
 func PrepareCapabilities(capsSlice []string) (tracee.CapabilitiesConfig, error) {
 	capsConfig := tracee.CapabilitiesConfig{
-		BypassCaps: false,
+		BypassCaps: true, // bypass capabilities by default
 	}
 
 	for _, slice := range capsSlice {
 		if strings.Contains(slice, "bypass=") {
 			b := strings.TrimPrefix(slice, "bypass=")
-			if b == "1" || b == "true" {
-				capsConfig.BypassCaps = true
-				capsConfig.AddCaps = nil
-				capsConfig.DropCaps = nil
-				return capsConfig, nil
-			}
-			if b != "0" && b != "false" {
+			if b == "0" || b == "false" {
+				capsConfig.BypassCaps = false
+			} else if b != "1" && b != "true" {
 				return capsConfig, fmt.Errorf("bypass should either be true or false")
 			}
 		}

cmd/tracee-rules/main.go

@@ -29,6 +29,14 @@ func main() {
 		Name:  "tracee-rules",
 		Usage: "A rule engine for Runtime Security",
 		Action: func(c *cli.Context) error {
+
+			// Capabilities command line flags
+
+			err := capabilities.Initialize(c.Bool("allcaps"))
+			if err != nil {
+				return err
+			}
+
 			if c.NumFlags() == 0 {
 				cli.ShowAppHelp(c)
 				return errors.New("no flags specified")
@@ -49,13 +57,6 @@ func main() {
 				)
 			}
 
-			// Capabilities command line flags
-
-			err := capabilities.NewCapabilities(c.Bool("allcaps"))
-			if err != nil {
-				return err
-			}
-
 			var target string
 			switch strings.ToLower(c.String("rego-runtime-target")) {
 			case "wasm":

pkg/capabilities/capabilities.go

@@ -11,7 +11,8 @@ import (
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
-var Caps Capabilities // singleton for all packages
+var once sync.Once
+var caps *Capabilities // singleton for all packages
 
 const pkgName = "capabilities"
 
@@ -31,26 +32,42 @@ const (
 )
 
 type Capabilities struct {
-	have        *cap.Set
-	all         map[cap.Value]map[ringType]bool
-	bypass      bool
-	initialized bool
-	lock        *sync.Mutex // big lock to guarantee all threads are on the same ring
+	have   *cap.Set
+	all    map[cap.Value]map[ringType]bool
+	bypass bool
+	lock   *sync.Mutex // big lock to guarantee all threads are on the same ring
 }
 
-func NewCapabilities(bypass bool) error {
-	Caps = Capabilities{}
-	return Caps.initialize(bypass)
+// Initialize initializes the "caps" instance (singleton).
+func Initialize(bypass bool) error {
+	var err error
+
+	once.Do(func() {
+		caps = &Capabilities{}
+		err = caps.initialize(bypass)
+	})
+
+	return err
+}
+
+// GetInstance returns current "caps" instance. It initializes capabilities if
+// needed, bypassing the privilege dropping by default.
+func GetInstance() *Capabilities {
+	if caps == nil {
+		err := Initialize(true)
+		if err != nil {
+			return nil
+		}
+
+	}
+	return caps
 }
 
 func (c *Capabilities) initialize(bypass bool) error {
 	if bypass {
 		c.bypass = true
 		return nil
 	}
-	if c.initialized {
-		return alreadyInitialized()
-	}
 
 	c.lock = new(sync.Mutex)
 	c.all = make(map[cap.Value]map[ringType]bool)
@@ -323,10 +340,6 @@ func couldNotGetProc(e error) error {
 	return fmt.Errorf("could not get capabilities: %v", e)
 }
 
-func alreadyInitialized() error {
-	return fmt.Errorf("capabilities were already initialized")
-}
-
 //
 // Standalone Functions
 //

pkg/containers/path_resolver.go

@@ -38,7 +38,7 @@ func (cPathRes PathResolver) ResolveAbsolutePath(mountNSAbsolutePath string, mou
 	for _, pid := range pids {
 		procRootPath := fmt.Sprintf("/proc/%d/root", int(pid))
 		// fs.FS interface requires relative paths, so the '/' prefix should be trimmed.
-		err := capabilities.Caps.Required(func() error {
+		err := capabilities.GetInstance().Required(func() error {
 			_, err := fs.Stat(cPathRes.fs, strings.TrimPrefix(procRootPath, "/"))
 			return err
 		})

pkg/containers/path_resolver_test.go

@@ -64,7 +64,8 @@ func TestPathResolver_ResolveAbsolutePath(t *testing.T) {
 		testMntNS := 1
 		testFilePath := "/tmp/tmp.so"
 
-		capabilities.NewCapabilities(true)
+		err := capabilities.Initialize(true) // initialize capabilities
+		assert.NoError(t, err)
 
 		for _, testCase := range testCases {
 			t.Run(testCase.Name, func(t *testing.T) {

pkg/ebpf/events_processor.go

@@ -52,6 +52,7 @@ const (
 
 func (t *Tracee) processEvent(event *trace.Event) error {
 	eventId := events.ID(event.EventID)
+
 	switch eventId {
 
 	case events.VfsWrite, events.VfsWritev, events.KernelWrite:
@@ -148,7 +149,7 @@ func (t *Tracee) processEvent(event *trace.Event) error {
 					if !ok || lastCtime != castedSourceFileCtime {
 
 						// capture (ring1)
-						err = capabilities.Caps.Required(func() error {
+						err = capabilities.GetInstance().Required(func() error {
 							return utils.CopyRegularFileByRelativePath(
 								sourceFilePath,
 								t.outDir,
@@ -177,7 +178,7 @@ func (t *Tracee) processEvent(event *trace.Event) error {
 					} else {
 
 						// ring1
-						capabilities.Caps.Required(func() error {
+						capabilities.GetInstance().Required(func() error {
 							currentHash, err = computeFileHashAtPath(sourceFilePath)
 							if err == nil {
 								hashInfoObj = fileExecInfo{castedSourceFileCtime, currentHash}

pkg/ebpf/probes/probes.go

@@ -52,7 +52,6 @@ type probes struct {
 
 // Init initializes a Probes interface
 func Init(module *bpf.Module, netEnabled bool) (Probes, error) {
-
 	binaryPath := "/proc/self/exe"
 
 	allProbes := map[Handle]Probe{
@@ -147,7 +146,7 @@ func Init(module *bpf.Module, netEnabled bool) (Probes, error) {
 			}
 		}
 	} else {
-		capabilities.Caps.Require(cap.NET_ADMIN) // add to required
+		capabilities.GetInstance().Require(cap.NET_ADMIN) // add to required
 	}
 
 	return &probes{

pkg/ebpf/tracee.go

@@ -266,20 +266,20 @@ func New(cfg Config) (*Tracee, error) {
 		return nil, fmt.Errorf("validation error: %v", err)
 	}
 
-	// create tracee
+	// Create Tracee
 	t := &Tracee{
 		config:        cfg,
 		writtenFiles:  make(map[string]string),
 		capturedFiles: make(map[string]int64),
 		events:        GetEssentialEventsList(),
 	}
 
-	// Start capabilities rings
-	// err = capabilities.NewCapabilities(t.config.Capabilities.BypassCaps)
-	err = capabilities.NewCapabilities(true) // TODO: force until drop priv is finished
+	// Initialize capabilities rings soon
+	err = capabilities.Initialize(t.config.Capabilities.BypassCaps)
 	if err != nil {
 		return t, err
 	}
+	caps := capabilities.GetInstance()
 
 	// Pseudo events added by capture
 	for eventID, eCfg := range GetCaptureEventsList(cfg) {
@@ -304,7 +304,7 @@ func New(cfg Config) (*Tracee, error) {
 			return t, fmt.Errorf("could not get event")
 		}
 		for _, capArray := range evt.Dependencies.Capabilities {
-			capabilities.Caps.Require(capArray)
+			caps.Require(capArray)
 		}
 	}
 
@@ -314,7 +314,7 @@ func New(cfg Config) (*Tracee, error) {
 	if err != nil {
 		return t, err
 	}
-	err = capabilities.Caps.Require(capsToAdd...)
+	err = caps.Require(capsToAdd...)
 	if err != nil {
 		return t, err
 	}
@@ -323,7 +323,7 @@ func New(cfg Config) (*Tracee, error) {
 	if err != nil {
 		return t, err
 	}
-	err = capabilities.Caps.Unrequire(capsToDrop...)
+	err = caps.Unrequire(capsToDrop...)
 	if err != nil {
 		return t, err
 	}
@@ -377,7 +377,7 @@ func (t *Tracee) Init() error {
 	// Init kernel symbols map
 
 	if initReq.kallsyms {
-		err = capabilities.Caps.Requested(func() error { // ring2
+		err = capabilities.GetInstance().Requested(func() error { // ring2
 
 			t.kernelSymbols, err = helpers.NewKernelSymbolsMap()
 			if err != nil {
@@ -405,7 +405,7 @@ func (t *Tracee) Init() error {
 
 	// Initialize containers enrichment logic
 
-	capabilities.Caps.Requested(func() error { // TODO: workaround until PR: #2233 is in place
+	capabilities.GetInstance().Requested(func() error { // TODO: workaround until PR: #2233 is in place
 
 		t.containers, err = containers.New(t.config.Sockets, "containers_map", t.config.Debug)
 		if err != nil {
@@ -1134,32 +1134,32 @@ func (t *Tracee) initBPF() error {
 	isCaptureNetSet := t.config.Capture.NetIfaces != nil
 	isFilterNetSet := len(t.config.Filter.NetFilter.Interfaces()) != 0
 
-	newModuleArgs := bpf.NewModuleArgs{
-		KConfigFilePath: t.config.KernelConfig.GetKernelConfigFilePath(),
-		BTFObjPath:      t.config.BTFObjPath,
-		BPFObjBuff:      t.config.BPFObjBytes,
-		BPFObjName:      t.config.BPFObjPath,
-	}
+	// Execute code with higher privileges: ring1 (required)
 
-	// Open the eBPF object file (create a new module)
+	err = capabilities.GetInstance().Required(func() error {
 
-	t.bpfModule, err = bpf.NewModuleFromBufferArgs(newModuleArgs)
-	if err != nil {
-		return err
-	}
+		newModuleArgs := bpf.NewModuleArgs{
+			KConfigFilePath: t.config.KernelConfig.GetKernelConfigFilePath(),
+			BTFObjPath:      t.config.BTFObjPath,
+			BPFObjBuff:      t.config.BPFObjBytes,
+			BPFObjName:      t.config.BPFObjPath,
+		}
 
-	// Initialize probes
+		// Open the eBPF object file (create a new module)
 
-	netEnabled := isCaptureNetSet || isFilterNetSet
+		t.bpfModule, err = bpf.NewModuleFromBufferArgs(newModuleArgs)
+		if err != nil {
+			return err
+		}
 
-	t.probes, err = probes.Init(t.bpfModule, netEnabled)
-	if err != nil {
-		return err
-	}
+		// Initialize probes
 
-	// Execute code with higher privileges: ring1 (required)
+		netEnabled := isCaptureNetSet || isFilterNetSet
 
-	err = capabilities.Caps.Required(func() error {
+		t.probes, err = probes.Init(t.bpfModule, netEnabled)
+		if err != nil {
+			return err
+		}
 
 		// Load the eBPF object into kernel
 
@@ -1326,7 +1326,7 @@ func (t *Tracee) Run(ctx gocontext.Context) error {
 
 // Close cleans up created resources
 func (t *Tracee) Close() {
-	err := capabilities.Caps.Required(func() error { // ring1
+	err := capabilities.GetInstance().Required(func() error { // ring1
 
 		if t.probes != nil {
 			err := t.probes.DetachAll()
@@ -1399,7 +1399,7 @@ func (t *Tracee) updateFileSHA() {
 
 func (t *Tracee) invokeInitEvents() {
 	if t.events[events.InitNamespaces].emit {
-		capabilities.Caps.Requested(func() error { // ring2
+		capabilities.GetInstance().Requested(func() error { // ring2
 			systemInfoEvent := events.InitNamespacesEvent()
 			t.config.ChanEvents <- systemInfoEvent
 			return nil
@@ -1483,7 +1483,7 @@ func (t *Tracee) triggerSeqOpsIntegrityCheckCall(
 }
 
 func (t *Tracee) updateKallsyms() error {
-	return capabilities.Caps.Requested(func() error { // ring2
+	return capabilities.GetInstance().Requested(func() error { // ring2
 
 		kernelSymbols, err := helpers.NewKernelSymbolsMap()
 		if err != nil {

pkg/utils/sharedobjs/host_symbols_loader.go

@@ -101,14 +101,12 @@ func (soCache *dynamicSymbolsLRUCache) Add(obj ObjInfo, dynamicSymbols *dynamicS
 // loadSharedObjectDynamicSymbols load all dynamic symbols of a shared object file in given path.
 func loadSharedObjectDynamicSymbols(path string) (*dynamicSymbols, error) {
 	var loadedObject *elf.File
-	err := capabilities.Caps.Required(func() error {
+
+	capabilities.GetInstance().Required(func() error {
 		var e error
 		loadedObject, e = elf.Open(path)
 		return e
 	})
-	if err != nil {
-		return nil, err
-	}
 	defer loadedObject.Close()
 
 	dynamicSymbols, err := loadedObject.DynamicSymbols()