-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run with least permissions in Linux #91
Comments
You can replace full privileges by individual capabilities, but it requires mounting the shared maps in the filesystem, as far as I see, only the already overloaded CAP_SYS_ADMIN have the rights for mounting. It might be slightly safer than full privileges but definitely I would have preferred to restrict the requirements to CAP_PTRACE, CAP_BPF and few more capabilities. |
I've been investigating by manually running the otelauto process and manually assigning the capabilities and it still requires the I tried later by using unpinned maps, but I still get a different error that only goes off when setting the
I tried with the following capabilities (many of them aren't needed, just trial-and-error) and only adding cap_sys_admin solves the issue:
|
Closing, but at some point we could reopen it if future versions of the kernel increases granularity of capabilities. |
Basically, investigate and document which capabilities are needed to run the executable without requiring full privileged mode. Provide some examples for e.g. Docker and Kubernetes deployments.
The text was updated successfully, but these errors were encountered: