Experiment with dropping capabilities

Author: erthalion

collector/collector.cpp

@@ -119,6 +119,28 @@ void initialChecks() {
 }
 
 int main(int argc, char** argv) {
+  // Drop not needed capabilities. Depending on the environment they might be
+  // already dropped, but still make sure we use as little as possible.
+  capng_clear(CAPNG_SELECT_ALL);
+  capng_type_t cap_types = static_cast<capng_type_t>(CAPNG_EFFECTIVE |
+                                                     CAPNG_PERMITTED);
+  capng_updatev(CAPNG_ADD, cap_types,
+                // BPF is needed to load bpf programs and maps
+                CAP_BPF,
+                // PERFMON needed for using kprobes and tracepoints
+                CAP_PERFMON,
+                // DAC_READ_SEARCH is needed to check tracefs
+                CAP_DAC_READ_SEARCH,
+                // SYS_RESOURCE is needed for setrlimits
+                CAP_SYS_RESOURCE,
+                // SYS_PTRACE and SYS_ADMIN are needed to read /proc/$PID/ns
+                CAP_SYS_PTRACE,
+                CAP_SYS_ADMIN, -1);
+
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   // Print system information before doing actual work.
   auto& host_info = HostInfo::Instance();
   CLOG(INFO) << "Collector Version: " << GetCollectorVersion();

collector/lib/CollectorStatsExporter.cpp

@@ -4,7 +4,9 @@
 #include <iostream>
 #include <math.h>
 
-#include <sys/capability.h>
+extern "C" {
+#include <cap-ng.h>
+}
 
 #include "Containers.h"
 #include "EventNames.h"
@@ -107,7 +109,10 @@ class CollectorTimerGauge {
 };
 
 void CollectorStatsExporter::run() {
-  capng_clear(CAPNG_SELECT_BOTH);
+  capng_clear(CAPNG_SELECT_ALL);
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
 
   auto& collectorEventCounters = prometheus::BuildGauge()
                                      .Name("rox_collector_events")

collector/lib/NetworkStatusNotifier.cpp

@@ -2,6 +2,10 @@
 
 #include <google/protobuf/util/time_util.h>
 
+extern "C" {
+#include <cap-ng.h>
+}
+
 #include "CollectorStats.h"
 #include "DuplexGRPC.h"
 #include "GRPCUtil.h"
@@ -108,6 +112,20 @@ void NetworkStatusNotifier::ReceiveIPNetworks(const sensor::IPNetworkList& netwo
 }
 
 void NetworkStatusNotifier::Run() {
+  capng_clear(CAPNG_SELECT_ALL);
+  capng_type_t cap_types = static_cast<capng_type_t>(CAPNG_EFFECTIVE |
+                                                     CAPNG_PERMITTED);
+  capng_updatev(CAPNG_ADD, cap_types,
+                // DAC_READ_SEARCH is needed to check tracefs
+                CAP_DAC_READ_SEARCH,
+                // SYS_PTRACE and SYS_ADMIN are needed to read /proc/$PID/ns
+                CAP_SYS_PTRACE,
+                CAP_SYS_ADMIN, -1);
+
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   Profiler::RegisterCPUThread();
   auto next_attempt = std::chrono::system_clock::now();
 

collector/lib/SignalServiceClient.cpp

@@ -2,6 +2,10 @@
 
 #include <fstream>
 
+extern "C" {
+#include <cap-ng.h>
+}
+
 #include "GRPCUtil.h"
 #include "Logging.h"
 #include "ProtoUtil.h"
@@ -43,6 +47,11 @@ bool SignalServiceClient::EstablishGRPCStreamSingle() {
 }
 
 void SignalServiceClient::EstablishGRPCStream() {
+  capng_clear(CAPNG_SELECT_ALL);
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   while (EstablishGRPCStreamSingle());
   CLOG(INFO) << "Signal service client terminating.";
 }