From 07829e7230cf48d796f1fc76f8e3b595967dd903 Mon Sep 17 00:00:00 2001
From: Dmitrii Dolgov <9erthalion6@gmail.com>
Date: Fri, 18 Oct 2024 10:16:49 +0200
Subject: [PATCH 1/2] Experiment with dropping capabilities

---
 collector/collector.cpp                  | 22 ++++++++++++++++++++++
 collector/lib/CollectorStatsExporter.cpp |  9 +++++++++
 collector/lib/NetworkStatusNotifier.cpp  | 18 ++++++++++++++++++
 collector/lib/SignalServiceClient.cpp    |  9 +++++++++
 4 files changed, 58 insertions(+)

diff --git a/collector/collector.cpp b/collector/collector.cpp
index a4425b44e7..f9bed96b27 100644
--- a/collector/collector.cpp
+++ b/collector/collector.cpp
@@ -121,6 +121,28 @@ void initialChecks() {
 }
 
 int main(int argc, char** argv) {
+  // Drop not needed capabilities. Depending on the environment they might be
+  // already dropped, but still make sure we use as little as possible.
+  capng_clear(CAPNG_SELECT_ALL);
+  capng_type_t cap_types = static_cast<capng_type_t>(CAPNG_EFFECTIVE |
+                                                     CAPNG_PERMITTED);
+  capng_updatev(CAPNG_ADD, cap_types,
+                // BPF is needed to load bpf programs and maps
+                CAP_BPF,
+                // PERFMON needed for using kprobes and tracepoints
+                CAP_PERFMON,
+                // DAC_READ_SEARCH is needed to check tracefs
+                CAP_DAC_READ_SEARCH,
+                // SYS_RESOURCE is needed for setrlimits
+                CAP_SYS_RESOURCE,
+                // SYS_PTRACE and SYS_ADMIN are needed to read /proc/$PID/ns
+                CAP_SYS_PTRACE,
+                CAP_SYS_ADMIN, -1);
+
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   // Print system information before doing actual work.
   auto& host_info = HostInfo::Instance();
   CLOG(INFO) << "Collector Version: " << GetCollectorVersion();
diff --git a/collector/lib/CollectorStatsExporter.cpp b/collector/lib/CollectorStatsExporter.cpp
index 5d5306a123..7fc9d41863 100644
--- a/collector/lib/CollectorStatsExporter.cpp
+++ b/collector/lib/CollectorStatsExporter.cpp
@@ -4,6 +4,10 @@
 #include <iostream>
 #include <math.h>
 
+extern "C" {
+#include <cap-ng.h>
+}
+
 #include "Containers.h"
 #include "EventNames.h"
 #include "Logging.h"
@@ -105,6 +109,11 @@ class CollectorTimerGauge {
 };
 
 void CollectorStatsExporter::run() {
+  capng_clear(CAPNG_SELECT_ALL);
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   auto& collectorEventCounters = prometheus::BuildGauge()
                                      .Name("rox_collector_events")
                                      .Help("Collector events")
diff --git a/collector/lib/NetworkStatusNotifier.cpp b/collector/lib/NetworkStatusNotifier.cpp
index 4885939f5a..4616c5464d 100644
--- a/collector/lib/NetworkStatusNotifier.cpp
+++ b/collector/lib/NetworkStatusNotifier.cpp
@@ -2,6 +2,10 @@
 
 #include <google/protobuf/util/time_util.h>
 
+extern "C" {
+#include <cap-ng.h>
+}
+
 #include "CollectorStats.h"
 #include "DuplexGRPC.h"
 #include "GRPCUtil.h"
@@ -108,6 +112,20 @@ void NetworkStatusNotifier::ReceiveIPNetworks(const sensor::IPNetworkList& netwo
 }
 
 void NetworkStatusNotifier::Run() {
+  capng_clear(CAPNG_SELECT_ALL);
+  capng_type_t cap_types = static_cast<capng_type_t>(CAPNG_EFFECTIVE |
+                                                     CAPNG_PERMITTED);
+  capng_updatev(CAPNG_ADD, cap_types,
+                // DAC_READ_SEARCH is needed to check tracefs
+                CAP_DAC_READ_SEARCH,
+                // SYS_PTRACE and SYS_ADMIN are needed to read /proc/$PID/ns
+                CAP_SYS_PTRACE,
+                CAP_SYS_ADMIN, -1);
+
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   Profiler::RegisterCPUThread();
   auto next_attempt = std::chrono::system_clock::now();
 
diff --git a/collector/lib/SignalServiceClient.cpp b/collector/lib/SignalServiceClient.cpp
index e43c7e1f95..0ef9c7fac8 100644
--- a/collector/lib/SignalServiceClient.cpp
+++ b/collector/lib/SignalServiceClient.cpp
@@ -2,6 +2,10 @@
 
 #include <fstream>
 
+extern "C" {
+#include <cap-ng.h>
+}
+
 #include "GRPCUtil.h"
 #include "Logging.h"
 #include "ProtoUtil.h"
@@ -43,6 +47,11 @@ bool SignalServiceClient::EstablishGRPCStreamSingle() {
 }
 
 void SignalServiceClient::EstablishGRPCStream() {
+  capng_clear(CAPNG_SELECT_ALL);
+  if (capng_apply(CAPNG_SELECT_ALL) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
+  }
+
   while (EstablishGRPCStreamSingle());
   CLOG(INFO) << "Signal service client terminating.";
 }

From d584ff4b6b5c7e5caefc15381b42c49351389c69 Mon Sep 17 00:00:00 2001
From: Dmitrii Dolgov <9erthalion6@gmail.com>
Date: Wed, 13 Nov 2024 14:36:59 +0100
Subject: [PATCH 2/2] Add bpf caps to the stats exporter

---
 collector/lib/CollectorStatsExporter.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/collector/lib/CollectorStatsExporter.cpp b/collector/lib/CollectorStatsExporter.cpp
index 7fc9d41863..62b0b7fce6 100644
--- a/collector/lib/CollectorStatsExporter.cpp
+++ b/collector/lib/CollectorStatsExporter.cpp
@@ -110,6 +110,13 @@ class CollectorTimerGauge {
 
 void CollectorStatsExporter::run() {
   capng_clear(CAPNG_SELECT_ALL);
+
+  capng_type_t cap_types = static_cast<capng_type_t>(CAPNG_EFFECTIVE |
+                                                     CAPNG_PERMITTED);
+  capng_updatev(CAPNG_ADD, cap_types,
+                // BPF is needed to read maps with stats
+                CAP_BPF, -1);
+
   if (capng_apply(CAPNG_SELECT_ALL) != 0) {
     CLOG(WARNING) << "Failed to drop capabilities: " << StrError();
   }