I'm reopening this bug with the upload of falcosecurity-libs 0.15.1-4.
In 0.15.1-3 I added logic to add a "scap" group that has permissions to
talk to the scap driver. But the previous issues (this doesn't also
grant the required access to /proc) apparently weren't resolved yet. So
I reverted that logic, and the bug is back.
The relevant commit from git:
commit 793391d31ecd700a0913773c70591824c8e7d519
Author: Dima Kogan <dko...@debian.org>
Date: Fri May 24 21:18:18 2024 -0700
Reverted the use-group-to-access-scap-device patches
These patches:
5682cde Dima Kogan 2024-05-24 Added missing Depends:adduser
ea3ef71 Dima Kogan 2024-05-17 Tiny fixes to the
use-group-to-access-scap-device
b43bda3 Gerald Combs 2024-05-16 Add a udev rule and module config for
falcosecurity-scap-dkms
Reopens this bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745706
I did some testing earlier to confirm that this bug was actually fixed, and it
seemed like it was. But apparently I didn't look thoroughly-enough, and this
bug
is still problematic. So I'm reverting the patches that effected this
insufficient fix.
Gerald Combs said:
Hi Dima,
I haven't had a chance to try out the new package, but I did ask around
about
the required capture permissions internally at Sysdig. It's possible to
capture without root using the eBPF driver:
https://falco.org/docs/install-operate/running/#least-privileged
However, the kmod driver requires root in order scan through /proc for
process
information other than your own. This matches my tests here; I see many more
syscalls when I capture as root vs when I capture as an unprivileged user
with
read+write access to /dev/scap*.
I'm going to update Logray's local Debian packaging to make falcodump setuid
and accessible by the "scap" group:
https://gitlab.com/wireshark/wireshark/-/merge_requests/15673
Hopefully at some point we can change that to a set of capabilities.
