Fix OS capabilities

grafana · Sep 4, 2024 · 028bd05 · 028bd05
1 parent 4494fae
commit 028bd05
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 12 deletions.
diff --git a/pkg/beyla/config.go b/pkg/beyla/config.go
@@ -43,7 +43,7 @@ const (
 var DefaultConfig = Config{
 	ChannelBufferLen: 10,
 	LogLevel:         "INFO",
-	EnforceSysCaps:   true,
+	EnforceSysCaps:   false,
 	EBPF: ebpfcommon.TracerConfig{
 		BatchLength:        100,
 		BatchTimeout:       time.Second,

diff --git a/pkg/beyla/config_test.go b/pkg/beyla/config_test.go
@@ -107,7 +107,7 @@ network:
 		ServiceName:      "svc-name",
 		ChannelBufferLen: 33,
 		LogLevel:         "INFO",
-		EnforceSysCaps:   true,
+		EnforceSysCaps:   false,
 		Printer:          false,
 		TracePrinter:     "json",
 		EBPF: ebpfcommon.TracerConfig{

diff --git a/pkg/beyla/os.go b/pkg/beyla/os.go
@@ -84,13 +84,29 @@ func CheckOSCapabilities(config *Config) error {
 		}
 	}
 
+	major, minor := kernelVersion()
+
+	// below kernels 5.8 all BPF permissions were bundled under SYS_ADMIN
+	if (major == 5 && minor < 8) || (major < 5) {
+		testAndSet(unix.CAP_SYS_ADMIN)
+
+		if capError.Empty() {
+			return nil
+		}
+
+		return capError
+	}
+
+	// if sys admin is set, we have all capabilities
+	if caps.Has(unix.CAP_SYS_ADMIN) {
+		return nil
+	}
+
 	// core capabilities
 	testAndSet(unix.CAP_BPF)
 	testAndSet(unix.CAP_PERFMON)
 	testAndSet(unix.CAP_DAC_READ_SEARCH)
 
-	major, minor := kernelVersion()
-
 	// CAP_SYS_RESOURCE is only required on kernels < 5.11
 	if (major == 5 && minor < 11) || (major < 5) {
 		testAndSet(unix.CAP_SYS_RESOURCE)
@@ -102,7 +118,10 @@ func CheckOSCapabilities(config *Config) error {
 	}
 
 	if config.Enabled(FeatureNetO11y) {
-		testAndSet(unix.CAP_NET_RAW)
+		// test for net raw only if we don't have net admin
+		if !caps.Has(unix.CAP_NET_ADMIN) {
+			testAndSet(unix.CAP_NET_RAW)
+		}
 	}
 
 	if capError.Empty() {

diff --git a/pkg/beyla/os_test.go b/pkg/beyla/os_test.go
@@ -105,14 +105,14 @@ type capTestData struct {
 }
 
 var capTests = []capTestData{
-	{osCap: unix.CAP_BPF, class: capCore},
-	{osCap: unix.CAP_PERFMON, class: capCore},
-	{osCap: unix.CAP_DAC_READ_SEARCH, class: capCore},
+	{osCap: unix.CAP_BPF, class: capCore, kernMaj: 6, kernMin: 10},
+	{osCap: unix.CAP_PERFMON, class: capCore, kernMaj: 6, kernMin: 10},
+	{osCap: unix.CAP_DAC_READ_SEARCH, class: capCore, kernMaj: 6, kernMin: 10},
 	{osCap: unix.CAP_SYS_RESOURCE, class: capCore, kernMaj: 5, kernMin: 10},
-	{osCap: unix.CAP_SYS_RESOURCE, class: capCore, kernMaj: 4, kernMin: 11},
-	{osCap: unix.CAP_CHECKPOINT_RESTORE, class: capApp},
-	{osCap: unix.CAP_SYS_PTRACE, class: capApp},
-	{osCap: unix.CAP_NET_RAW, class: capNet},
+	{osCap: unix.CAP_SYS_ADMIN, class: capCore, kernMaj: 4, kernMin: 11},
+	{osCap: unix.CAP_CHECKPOINT_RESTORE, class: capApp, kernMaj: 6, kernMin: 10},
+	{osCap: unix.CAP_SYS_PTRACE, class: capApp, kernMaj: 6, kernMin: 10},
+	{osCap: unix.CAP_NET_RAW, class: capNet, kernMaj: 6, kernMin: 10},
 }
 
 func TestCheckOSCapabilities(t *testing.T) {