Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output a log when an application uses a Linux capability #1485

Open
ptodev opened this issue Dec 31, 2024 · 3 comments
Open

Output a log when an application uses a Linux capability #1485

ptodev opened this issue Dec 31, 2024 · 3 comments

Comments

@ptodev
Copy link
Contributor

ptodev commented Dec 31, 2024

It would be nice if Beyla could produce log lines similar to this Python utility. There are not many tools I could find for this on the internet, and this Python utility is a bit hard to run since it needs the Linux headers to be installed. That's not easy to do for some Linux distributions. There is also an application called Tetragon which seems to be able to do it, but it looks very tightly coupled with K8s.

My use case - I would like to know which Linux capabilities Alloy is using. That way we could document them in the Alloy docs. If this feature is part of Alloy's beyla.ebpf component, then it would be very easy to incorporate it into the Alloy CI.
@rafaelroquetto
Copy link
Contributor

Hey @ptodev - just to clarify, if all you want is to find out which capabilities an Alloy process is using, would the following be feasible to you?

capsh --decode=`cat /proc/<ALLOY_PID>/status | grep CapEff | awk '{print $2}'`

@ptodev
Copy link
Contributor Author

ptodev commented Jan 13, 2025
edited
Loading

Hi, @rafaelroquetto - I believe the capsh command would indicate which capabilities are granted, regardless whether the process really needs them? This goal of the GitHub issue is to find out which capabilities a process needs, as opposed to which ones it has been granted. This could be useful for identifying processes which have been granted more capabilities than they actually need.

@ptodev ptodev mentioned this issue Jan 20, 2025
Open
@ptodev
Copy link
Contributor Author

ptodev commented Jan 21, 2025

I had a chat on Slack with the Beyla team, and @mariomac suggested using generictracer.go as an example, to fulfill the Tracer interface described inpkg/internal/ebpf/tracer.go. He said many methods can return nil: GoProbes, SocketFilters, SockMsgs, SockOps... and probably I will only need to provide contents to the Uprobes method.

@rafaelroquetto suggested to instrument the capable() function in the Linux kernel with a kprobe: https://elixir.bootlin.com/linux/v6.12.6/source/kernel/capability.c#L434
This function sits on the codepath of operations that require capability check, for instance, like this: https://elixir.bootlin.com/linux/v6.12.6/source/drivers/tty/vt/vt.c#L3340

The capabilities could be outputted via OTLP logs. Adding support for OTLP logs is ok for the Beyla team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rafaelroquetto @ptodev