Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat(enforcer) : Capabilities support #1538

Open
1 of 2 tasks
Aryan-sharma11 opened this issue Dec 7, 2023 · 2 comments · Fixed by #1543 · May be fixed by #1596
Open
1 of 2 tasks

feat(enforcer) : Capabilities support #1538

Aryan-sharma11 opened this issue Dec 7, 2023 · 2 comments · Fixed by #1543 · May be fixed by #1596
Assignees
@Aryan-sharma11
Labels
enhancement New feature or request

Comments

@Aryan-sharma11
Copy link
Member

Aryan-sharma11 commented Dec 7, 2023
edited by daemon1024
Loading

Feature Request

Short Description
Currently, we do not support capabilities with BPFLSM enforcer.

Task lists

  • Support for enforcement of capabilities rules - ( using CAPABLE hook ) feat: Add capabilities support for BPFLSM #1543
  • Implement observability for Linux capabilities in ebpf monitor (probing cap_capable( ) function to trace capabilities)
@Aryan-sharma11 Aryan-sharma11 added the enhancement New feature or request label Dec 7, 2023
@Aryan-sharma11 Aryan-sharma11 self-assigned this Dec 7, 2023
@Aryan-sharma11 Aryan-sharma11 mentioned this issue Dec 13, 2023
Merged
7 tasks
@Aryan-sharma11 Aryan-sharma11 moved this to In Progress in v1.2.0 Release Dec 13, 2023
@nyrahul
Copy link
Contributor

nyrahul commented Dec 18, 2023
edited by Aryan-sharma11
Loading

  • list of all the caps that will be supported? ( Should be supporting all the Linux capabilities ( around 40 ) .
  • sample policies to be fulfilled. Policy
  • high level design to achieve

@daemon1024 daemon1024 moved this from In Progress to In-Review in v1.2.0 Release Jan 16, 2024
@daemon1024 daemon1024 mentioned this issue Jan 24, 2024
Closed
@PrimalPimmy PrimalPimmy moved this to In Review in v1.3.0 Release Jan 29, 2024
@Aryan-sharma11 Aryan-sharma11 linked a pull request Feb 1, 2024 that will close this issue
Draft
7 tasks
@github-project-automation github-project-automation bot moved this from In Review to Done in v1.3.0 Release Feb 13, 2024
@daemon1024 daemon1024 reopened this Feb 13, 2024
@daemon1024 daemon1024 moved this from Done to In Progress in v1.3.0 Release Feb 13, 2024
@Aryan-sharma11
Copy link
Member Author

We have implemented the capable hook for the enforcement of capabilities rules in BPFLSM in #1543, although for Observability right now we are keeping this on hold, as while implementing the Kprobe to trace capabiliities we observed that a lot of events were being generated, which was causing a lot of events being lost. Keeping this in mind and also the performance impact a new design discussion to handle this amount of events will be done with the team.

@Aryan-sharma11 Aryan-sharma11 moved this from In Progress to Triage in v1.3.0 Release Feb 19, 2024
@daemon1024 daemon1024 changed the title feat(enforcer) : Capabilities support in BPFLSM feat(enforcer) : Capabilities support Feb 21, 2024
@DelusionalOptimist DelusionalOptimist mentioned this issue Mar 19, 2024
Closed
24 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@Aryan-sharma11 Aryan-sharma11

Labels
enhancement New feature or request
Projects
v1.4.0 Release
Status: No status
Milestone
No milestone
3 participants
@nyrahul @daemon1024 @Aryan-sharma11