Extract capabilities from cap_capable #1340
Replies: 1 comment
-
|
Hello @edumarin First, I noticed that you wrote that the output you got was "1". Tracee should output the capability name and not its number. Are you sure you are not using the json/gob format? I don't see it in the command you provided, so you can try to add Second, I checked what you wrote on my environment and I found that on BTF enabled environments we have a bug, thus not all capabilities are shown. I opened an issue to track this #1341 - thanks for bringing this up. One last point that you shuold take into consideration is that unless you run all possible code paths of a given container, you will not be able to get all of the capabilities used by it. This includes less common code paths such as error cases and others. By the way - if you have a BTF enabled environment, you can remove the mounts from the command: |
Beta Was this translation helpful? Give feedback.
-
Hi all,
I'm using tracee to collect all events generated by containers from the moment they are initiated until they are terminated. For this, I run the command:
sudo docker run --name tracee --rm --privileged --pid=host -v /lib/modules:/lib/modules:ro -v /usr/src/:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest trace --trace container=new
One of the events the tool captures is "cap_capable" whose arguments are (int cap, int syscall)
Does anyone know if it is possible to extract the exact set of capabilities (e.g., CAP_SETUID or CAP_CHOWN) required by the container processes from cap_capable (e.g., by looking at the cap argument)? I thought it would be possible to map each value in "cap" to a specific capability, but I noticed that cap always takes the value "1" in the traces I collected (which makes me suspect that this is not the right way as I'm pretty sure that more than 1 capability is required).
Thanks in advance for your help,
Eduard
Beta Was this translation helpful? Give feedback.
All reactions