tracingpolicy: trace capset system call

Produced event: ... "function_name": "security_capset", "args": [ { "process_credentials_arg": { { "cap_effective_arg": "000001ffffffffff" }, { "cap_inheritable_arg": "0000000000000000" }, { "cap_permitted_arg": "000001ffffffffff" } ], "return": { "int_arg": 0 }, "action": "KPROBE_ACTION_POST", "policy_name": "privileges-raise", "return_action": "KPROBE_ACTION_POST", "message": "Process changed its capabilities using capset system call", "tags": [ "observability.process", "observability.privilege" ] Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
cilium · Jan 20, 2024 · 819c515 · 819c515
1 parent 3a033af
commit 819c515
Showing 1 changed file with 47 additions and 1 deletion.
diff --git a/examples/policylibrary/privileges/privileges-raise.yaml b/examples/policylibrary/privileges/privileges-raise.yaml
@@ -3,7 +3,9 @@
 #
 # 1. Unprivileged creating user namespace to gain new capabilities.
 #
-# 2. Change their uids/gids to user root.
+# 2. Setting or changing capabilities using the capset system call.
+#
+# 3. Change their uids/gids to user root.
 #
 #  __sys_setuid
 #    - __x64_sys_setuid
@@ -62,6 +64,50 @@ metadata:
     description: "Detects privileges raising operations"
 spec:
   kprobes:
+  - call: "security_capset"
+    syscall: false
+    return: true
+    message: "Process changed its capabilities using capset system call"
+    args:
+    - index: 0
+      type: "nop"
+    - index: 1
+      type: "cred"
+    - index: 2
+      type: "cap_effective"
+    - index: 3
+      type: "cap_inheritable"
+    - index: 4
+      type: "cap_permitted"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 2
+        operator: "NotEqual"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    - matchArgs:
+      - index: 3
+        operator: "NotEqual"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    - matchArgs:
+      - index: 4
+        operator: "NotEqual"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.process", "observability.privilege" ]
   - call: "create_user_ns"
     syscall: false
     return: true