api: detect binary execution that raise process privileges

Add binary_properties.caps_raised array that contains the reasons why this binary execution gained new capabilities or elevated its privileges. It is an array since we do not handle the case of an unprivileged user id that is _mapped_ to user id root 0 inside its own namespace then performs a setuid to root execution. Current eBPF infrastructure does not support user id translation into target user namespace. Plus current Tetragon design deals with global uids, so it is not clear at this moment how to handle this corner case. For this we make the binary_properties.caps_raised an array that can hold extra values in the future. So privileged execution can happen when the executed binary has: 1. setuid root bit set 2. file capabilities. The new caps_raised contains the reason, no need to rencode the full capabilities there too, let's just indicate to the user and if they are interested they can inspect other fields that contain the permitted and effective capabilities of the current binary. The reasons for why the elevated privileges happened are in form of a new enum type ProcessElevatedPrivsReasons. Signed-off-by: Djalal Harouni <[email protected]>
cilium · Dec 8, 2023 · 8631a92 · 8631a92
1 parent a385b6e
commit 8631a92
Show file tree

Hide file tree

Showing 10 changed files with 2,400 additions and 1,750 deletions.
diff --git a/api/v1/README.md b/api/v1/README.md
@@ -51,6 +51,7 @@
     - [HealthStatusResult](#tetragon-HealthStatusResult)
     - [HealthStatusType](#tetragon-HealthStatusType)
     - [KprobeAction](#tetragon-KprobeAction)
+    - [ProcessElevatedPrivsReasons](#tetragon-ProcessElevatedPrivsReasons)
     - [TaintedBitsType](#tetragon-TaintedBitsType)
 
 - [tetragon/events.proto](#tetragon_events-proto)
@@ -206,6 +207,7 @@
 | ----- | ---- | ----- | ----------- |
 | setuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | If set then this is the set user ID used for execution |
 | setgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | If set then this is the set group ID used for execution |
+| caps_raised | [ProcessElevatedPrivsReasons](#tetragon-ProcessElevatedPrivsReasons) | repeated | The reasons why this binary execution raised the permitted and effective capabilities. Usually this happens when the process executes a binary with setuid root bit set or file capabilities. The final ganted capabilities are listed in the capabilities field of the process execution. |
 
 
 
@@ -985,6 +987,19 @@ RuntimeHookRequest synchronously propagates information to the agent about run-t
 
 
 
+<a name="tetragon-ProcessElevatedPrivsReasons"></a>
+
+### ProcessElevatedPrivsReasons
+These bits indicate the reasons why a privilege elevation happened.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| RAISED_UNSET | 0 |  |
+| BINARY_EXEC_FILE_CAP | 1 | An execution of a binary with file capabilities set elevated privileges. |
+| BINARY_EXEC_FILE_SETUID | 2 | An execution of a binary with setuid to root user elevated privileges. |
+
+
+
 <a name="tetragon-TaintedBitsType"></a>
 
 ### TaintedBitsType

diff --git a/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go b/api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go