Run with least permissions in Linux

[mariomac]

Basically, investigate and document which capabilities are needed to run the executable without requiring full privileged mode. Provide some examples for e.g. Docker and Kubernetes deployments.

[mariomac]

You can replace full privileges by individual capabilities, but it requires mounting the shared maps in the filesystem, as far as I see, only the already overloaded CAP_SYS_ADMIN have the rights for mounting.

It might be slightly safer than full privileges but definitely I would have preferred to restrict the requirements to CAP_PTRACE, CAP_BPF and few more capabilities.

[mariomac]

I've been investigating by manually running the otelauto process and manually assigning the capabilities and it still requires the CAP_SYS_ADMIN capability to pin the BPF maps. Even premounting the /sys/fs/bpf and giving total access to the nonprivileged users, the library complains when loading/pinning the maps.

I tried later by using unpinned maps, but I still get a different error that only goes off when setting the CAP_SYS_ADMIN:

setting uprobe: creating perf_uprobe PMU: token /proc/2388/exe:0x2b61a0: opening perf event: permission denied" function=net/http.HandlerFunc.ServeHTTP

I tried with the following capabilities (many of them aren't needed, just trial-and-error) and only adding cap_sys_admin solves the issue:

cap_sys_resource,cap_dac_override,cap_bpf,cap_perfmon,cap_net_admin,cap_fowner,cap_dac_read_search

[mariomac]

Closing, but at some point we could reopen it if future versions of the kernel increases granularity of capabilities.