Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(enforcer) : Capabilities support #1538

Open
1 of 2 tasks
Aryan-sharma11 opened this issue Dec 7, 2023 · 2 comments · Fixed by #1543 · May be fixed by #1596
Open
1 of 2 tasks

feat(enforcer) : Capabilities support #1538

Aryan-sharma11 opened this issue Dec 7, 2023 · 2 comments · Fixed by #1543 · May be fixed by #1596
Assignees
@Aryan-sharma11
Labels
enhancement New feature or request

Comments

@Aryan-sharma11
Copy link
Member

Aryan-sharma11 commented Dec 7, 2023
edited by daemon1024
Loading

Feature Request

Short Description
Currently, we do not support capabilities with BPFLSM enforcer.

Task lists

  • Support for enforcement of capabilities rules - ( using CAPABLE hook ) feat: Add capabilities support for BPFLSM #1543
  • Implement observability for Linux capabilities in ebpf monitor (probing cap_capable( ) function to trace capabilities)
@Aryan-sharma11 Aryan-sharma11 added the enhancement New feature or request label Dec 7, 2023
@Aryan-sharma11 Aryan-sharma11 self-assigned this Dec 7, 2023
@Aryan-sharma11 Aryan-sharma11 mentioned this issue Dec 13, 2023
Merged
7 tasks
@Aryan-sharma11 Aryan-sharma11 moved this to In Progress in v1.2.0 Release Dec 13, 2023
@nyrahul
Copy link
Contributor

nyrahul commented Dec 18, 2023
edited by Aryan-sharma11
Loading

  • list of all the caps that will be supported? ( Should be supporting all the Linux capabilities ( around 40 ) .
  • sample policies to be fulfilled. Policy
  • high level design to achieve

@daemon1024 daemon1024 moved this from In Progress to In-Review in v1.2.0 Release Jan 16, 2024
@daemon1024 daemon1024 mentioned this issue Jan 24, 2024
Closed
@PrimalPimmy PrimalPimmy moved this to In Review in v1.3.0 Release Jan 29, 2024
@Aryan-sharma11 Aryan-sharma11 linked a pull request Feb 1, 2024 that will close this issue
Draft
7 tasks
@github-project-automation github-project-automation bot moved this from In Review to Done in v1.3.0 Release Feb 13, 2024
@daemon1024 daemon1024 reopened this Feb 13, 2024
@daemon1024 daemon1024 moved this from Done to In Progress in v1.3.0 Release Feb 13, 2024
@Aryan-sharma11
Copy link
Member Author

We have implemented the capable hook for the enforcement of capabilities rules in BPFLSM in #1543, although for Observability right now we are keeping this on hold, as while implementing the Kprobe to trace capabiliities we observed that a lot of events were being generated, which was causing a lot of events being lost. Keeping this in mind and also the performance impact a new design discussion to handle this amount of events will be done with the team.

@Aryan-sharma11 Aryan-sharma11 moved this from In Progress to Triage in v1.3.0 Release Feb 19, 2024
@daemon1024 daemon1024 changed the title feat(enforcer) : Capabilities support in BPFLSM feat(enforcer) : Capabilities support Feb 21, 2024
@DelusionalOptimist DelusionalOptimist mentioned this issue Mar 19, 2024
Closed
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Aryan-sharma11 Aryan-sharma11

Labels
enhancement New feature or request
Projects
v1.4.0 Release
Status: No status
Milestone
No milestone
3 participants
@nyrahul @daemon1024 @Aryan-sharma11