diff --git a/collector/collector.cpp b/collector/collector.cpp index a4425b44e7..f9bed96b27 100644 --- a/collector/collector.cpp +++ b/collector/collector.cpp @@ -121,6 +121,28 @@ void initialChecks() { } int main(int argc, char** argv) { + // Drop not needed capabilities. Depending on the environment they might be + // already dropped, but still make sure we use as little as possible. + capng_clear(CAPNG_SELECT_ALL); + capng_type_t cap_types = static_cast(CAPNG_EFFECTIVE | + CAPNG_PERMITTED); + capng_updatev(CAPNG_ADD, cap_types, + // BPF is needed to load bpf programs and maps + CAP_BPF, + // PERFMON needed for using kprobes and tracepoints + CAP_PERFMON, + // DAC_READ_SEARCH is needed to check tracefs + CAP_DAC_READ_SEARCH, + // SYS_RESOURCE is needed for setrlimits + CAP_SYS_RESOURCE, + // SYS_PTRACE and SYS_ADMIN are needed to read /proc/$PID/ns + CAP_SYS_PTRACE, + CAP_SYS_ADMIN, -1); + + if (capng_apply(CAPNG_SELECT_ALL) != 0) { + CLOG(WARNING) << "Failed to drop capabilities: " << StrError(); + } + // Print system information before doing actual work. auto& host_info = HostInfo::Instance(); CLOG(INFO) << "Collector Version: " << GetCollectorVersion(); diff --git a/collector/lib/CollectorStatsExporter.cpp b/collector/lib/CollectorStatsExporter.cpp index 5d5306a123..62b0b7fce6 100644 --- a/collector/lib/CollectorStatsExporter.cpp +++ b/collector/lib/CollectorStatsExporter.cpp @@ -4,6 +4,10 @@ #include #include +extern "C" { +#include +} + #include "Containers.h" #include "EventNames.h" #include "Logging.h" @@ -105,6 +109,18 @@ class CollectorTimerGauge { }; void CollectorStatsExporter::run() { + capng_clear(CAPNG_SELECT_ALL); + + capng_type_t cap_types = static_cast(CAPNG_EFFECTIVE | + CAPNG_PERMITTED); + capng_updatev(CAPNG_ADD, cap_types, + // BPF is needed to read maps with stats + CAP_BPF, -1); + + if (capng_apply(CAPNG_SELECT_ALL) != 0) { + CLOG(WARNING) << "Failed to drop capabilities: " << StrError(); + } + auto& collectorEventCounters = prometheus::BuildGauge() .Name("rox_collector_events") .Help("Collector events") diff --git a/collector/lib/NetworkStatusNotifier.cpp b/collector/lib/NetworkStatusNotifier.cpp index 4885939f5a..4616c5464d 100644 --- a/collector/lib/NetworkStatusNotifier.cpp +++ b/collector/lib/NetworkStatusNotifier.cpp @@ -2,6 +2,10 @@ #include +extern "C" { +#include +} + #include "CollectorStats.h" #include "DuplexGRPC.h" #include "GRPCUtil.h" @@ -108,6 +112,20 @@ void NetworkStatusNotifier::ReceiveIPNetworks(const sensor::IPNetworkList& netwo } void NetworkStatusNotifier::Run() { + capng_clear(CAPNG_SELECT_ALL); + capng_type_t cap_types = static_cast(CAPNG_EFFECTIVE | + CAPNG_PERMITTED); + capng_updatev(CAPNG_ADD, cap_types, + // DAC_READ_SEARCH is needed to check tracefs + CAP_DAC_READ_SEARCH, + // SYS_PTRACE and SYS_ADMIN are needed to read /proc/$PID/ns + CAP_SYS_PTRACE, + CAP_SYS_ADMIN, -1); + + if (capng_apply(CAPNG_SELECT_ALL) != 0) { + CLOG(WARNING) << "Failed to drop capabilities: " << StrError(); + } + Profiler::RegisterCPUThread(); auto next_attempt = std::chrono::system_clock::now(); diff --git a/collector/lib/SignalServiceClient.cpp b/collector/lib/SignalServiceClient.cpp index e43c7e1f95..0ef9c7fac8 100644 --- a/collector/lib/SignalServiceClient.cpp +++ b/collector/lib/SignalServiceClient.cpp @@ -2,6 +2,10 @@ #include +extern "C" { +#include +} + #include "GRPCUtil.h" #include "Logging.h" #include "ProtoUtil.h" @@ -43,6 +47,11 @@ bool SignalServiceClient::EstablishGRPCStreamSingle() { } void SignalServiceClient::EstablishGRPCStream() { + capng_clear(CAPNG_SELECT_ALL); + if (capng_apply(CAPNG_SELECT_ALL) != 0) { + CLOG(WARNING) << "Failed to drop capabilities: " << StrError(); + } + while (EstablishGRPCStreamSingle()); CLOG(INFO) << "Signal service client terminating."; }