alban
commented
2 years ago The trace capabilities gadget has a lot of non-interesting output. For example:
$ kubectl gadget trace capabilities
... CONTAINER PID COMM UID CAP NAME AUDIT VERDICT
... set-priority 7788 nice 0 21 CAP_SYS_ADMIN 0 Deny
$ kubectl exec -ti -n gadget gadget-b5k8r -- bash
# /usr/share/bcc/tools/capable -v -K
09:52:57 0 19252 nice 21 CAP_SYS_ADMIN 0
cap_capable+0x1 [kernel]
security_vm_enough_memory_mm+0x39 [kernel]
insert_vm_struct+0x9d [kernel]
__do_execve_file.isra.40+0x3a6 [kernel]
__x64_sys_execve+0x39 [kernel]
do_syscall_64+0x5e [kernel]
entry_SYSCALL_64_after_hwframe+0x44 [kernel]This is a non-audit capability checks. According to bcc's documentation:
These are those deemed not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit.
bcc does not show them by default. I think we should do the same.
For the Capability Advisor, we need to skip them, otherwise users will think CAP_SYS_ADMIN is required for everything...
The flag --print-stack is still documented but the implementation has been removed in https://github.com/kinvolk/inspektor-gadget/pull/524:
$ git grep print-stack
docs/guides/trace/capabilities.md:You may include a kernel call stack for more context with `--print-stack`. (IfI think it would be useful for the Capability Advisor.
github-actions[bot]
Use case: help developers write the PodSecurityContext with the right capabilities