api: detect binary execution that raise process capabilities.

Add binary_properties.caps_raised bool if set then the current execution
gained new capabilities through binary execution.

This happens when the executed binary has:
1. setuid root bit set
2. file capabilities.

This is explicitly caps_raised instead of file_caps, as it is hard to
inspect from BPF side if the setuid binary execution is a setuid root
that raised capabilities or not. To identify that we need from BPF side
to check if that uid is explicitly _mapped_ as _root_ id in the current
user namespace or one of the parent user namespaces. Currently this
is not trivial and we still don't do or plan todo user namespace ids
translation in Tetragon.

To solve this we abstract it in `caps_raised` field to indicate if
the binary execution allowed the process to raise its capabilities
which is what users want. The final granted capabilities are listed in
the capabilities field of the process execution.

The new caps_raised is a bool type, no need to rencode the full capabilities
there too, let's just indicate to the user and if they are interested
they can inspect other fields that contain the permitted and effective
capabilities of the current binary.

Signed-off-by: Djalal Harouni <[email protected]>

api/v1/README.md

@@ -206,6 +206,7 @@
 | ----- | ---- | ----- | ----------- |
 | setuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | If set then this is the set user ID used for execution |
 | setgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | If set then this is the set group ID used for execution |
+| caps_raised | [bool](#bool) |  | If set then the execution of this binary gained new privileges by raising the permitted and effective capabilities. This happens when the process executes a binary with setuid root bit set or file capabilities. The final ganted capabilities are listed in the capabilities field of the process execution. |
 
 
 

api/v1/tetragon/tetragon.proto

@@ -145,6 +145,10 @@ message BinaryProperties {
 	google.protobuf.UInt32Value setuid = 1;
 	// If set then this is the set group ID used for execution
 	google.protobuf.UInt32Value setgid = 2;
+	// If set then the execution of this binary gained new privileges by raising the permitted and effective capabilities.
+    // This happens when the process executes a binary with setuid root bit set or file capabilities.
+    // The final ganted capabilities are listed in the capabilities field of the process execution.
+	bool caps_raised = 3;
 }
 
 message Process {

docs/content/en/docs/reference/grpc-api.md

@@ -93,6 +93,7 @@ version 1 of this API is defined in
 | ----- | ---- | ----- | ----------- |
 | setuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | If set then this is the set user ID used for execution |
 | setgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | If set then this is the set group ID used for execution |
+| caps_raised | [bool](#bool) |  | If set then the execution of this binary gained new privileges by raising the permitted and effective capabilities. This happens when the process executes a binary with setuid root bit set or file capabilities. The final ganted capabilities are listed in the capabilities field of the process execution. |
 
 <a name="tetragon-Capabilities"></a>