filters: implement capability filters #2107

willfindlay · 2024-02-15T17:47:00Z

Implement a new export filter for process capabilities. The filter includes support for matching effective, permitted, and inheritable capability sets, with various match behaviours. Behaviours include:

any: matches if one or more listed capabilities appear in process caps
all: matches if all listed capabilities appear in process caps
exactly: matches if listed capabilities are exactly equal to process caps
none: matches if no listed capabilities are in process caps

The following are some example uses.

Match when effective capabilities include either CAP_SYS_ADMIN or CAP_BPF:

{"capabilities": {"effective": {"any": ["CAP_SYS_ADMIN", "CAP_BPF"]}}}

Match when permitted capabilities do not include CAP_SYS_ADMIN:

{"capabilities": {"permitted": {"none": ["CAP_SYS_ADMIN", "CAP_BPF"]}}}

Match when inheritable capabilities include either CAP_SYS_ADMIN and CAP_BPF:

{"capabilities": {"inheritable": {"all": ["CAP_SYS_ADMIN", "CAP_BPF"]}}}

Match when inheritable capabilities are exactly CAP_SYS_ADMIN:

{"capabilities": {"inheritable": {"exactly": ["CAP_SYS_ADMIN"]}}}

Introduce an export filter type for process capabilities.

netlify · 2024-02-15T17:47:37Z

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	`b7fe320`
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/65cf76ddf97b6300078f275c
😎 Deploy Preview	https://deploy-preview-2107--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

willfindlay · 2024-02-16T15:56:29Z

Marking as draft while I debug

Implement a new export filter for process capabilities. The filter includes support for matching effective, permitted, and inheritable capability sets, with various match behaviours. Behaviours include: - `any`: matches if one or more listed capabilities appear in process caps - `all`: matches if all listed capabilities appear in process caps - `exactly`: matches if listed capabilities are exactly equal to process caps - `none`: matches if no listed capabilities are in process caps The following are some example uses. Match when effective capabilities include either CAP_SYS_ADMIN or CAP_BPF: {"capabilities": {"effective": {"any": ["CAP_SYS_ADMIN", "CAP_BPF"]}}} Match when permitted capabilities do not include CAP_SYS_ADMIN: {"capabilities": {"permitted": {"none": ["CAP_SYS_ADMIN", "CAP_BPF"]}}} Match when inheritable capabilities include either CAP_SYS_ADMIN and CAP_BPF: {"capabilities": {"inheritable": {"all": ["CAP_SYS_ADMIN", "CAP_BPF"]}}} Match when inheritable capabilities are exactly CAP_SYS_ADMIN: {"capabilities": {"inheritable": {"exactly": ["CAP_SYS_ADMIN"]}}} Signed-off-by: William Findlay <will@isovalent.com>

We added a few new modules with their own vendor directories, but the go-format target was outdated such that it wasn't igoring them. Fix this by simply updating it to ignore all `vendor/*` directories regardless of their parent path. Signed-off-by: William Findlay <will@isovalent.com>

willfindlay added the area/userspace Related to userspace Tetragon logic label Feb 15, 2024

willfindlay requested review from jrfastab and tixxdz February 15, 2024 17:47

willfindlay requested a review from a team as a code owner February 15, 2024 17:47

willfindlay force-pushed the pr/willfindlay/cap-filter branch from 0f840bb to 64c51d9 Compare February 15, 2024 17:48

willfindlay added the release-note/major This PR introduces major new functionality label Feb 15, 2024

willfindlay force-pushed the pr/willfindlay/cap-filter branch 3 times, most recently from 553da6a to b7fe320 Compare February 16, 2024 14:53

willfindlay marked this pull request as draft February 16, 2024 15:56

willfindlay force-pushed the pr/willfindlay/cap-filter branch 2 times, most recently from 8be773c to ff69e2b Compare February 16, 2024 18:16

willfindlay added 2 commits February 20, 2024 15:40

willfindlay force-pushed the pr/willfindlay/cap-filter branch from ff69e2b to d07df31 Compare February 20, 2024 20:40

willfindlay marked this pull request as ready for review February 20, 2024 20:48

jrfastab approved these changes Feb 29, 2024

View reviewed changes

jrfastab merged commit 7c1f5aa into main Feb 29, 2024
36 checks passed

jrfastab deleted the pr/willfindlay/cap-filter branch February 29, 2024 06:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

filters: implement capability filters #2107

filters: implement capability filters #2107

willfindlay commented Feb 15, 2024 •

edited

Loading

netlify bot commented Feb 15, 2024 •

edited

Loading

willfindlay commented Feb 16, 2024

filters: implement capability filters #2107

filters: implement capability filters #2107

Conversation

willfindlay commented Feb 15, 2024 • edited Loading

netlify bot commented Feb 15, 2024 • edited Loading

✅ Deploy Preview for tetragon ready!

willfindlay commented Feb 16, 2024

willfindlay commented Feb 15, 2024 •

edited

Loading

netlify bot commented Feb 15, 2024 •

edited

Loading