Implement capability dropping and document needed capabilities

[bobrik]

No description provided.

[bobrik]

See: aquasecurity/libbpfgo#337

[bobrik]

With socket activation and the following hardened service config I was able to make timers work:

[Unit]
Requires=ebpf_exporter.socket

[Service]
ExecStart=/ebpf_exporter --config.dir=/examples --config.names=timers --web.listen-address=fd://0 --capabilities.keep=cap_syslog
RootDirectory=/opt/ebpf_exporter
RestrictAddressFamilies=yes
RestrictNamespaces=yes
DynamicUser=true
# This might be needed to prevent Go from using setrlimit:
# * https://github.com/golang/go/blob/go1.20.6/src/syscall/rlimit.go#L18-L40
LimitNOFILE=1024
PrivateDevices=yes
PrivateNetwork=yes
# Breaks capabilities
# PrivateUsers=yes
ProtectClock=yes
# Needed to resolve symbols (removes CAP_SYSLOG)
# ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectHostname=yes
# Needed to resolve symbols
# ProtectKernelTunables=yes
ProtectHome=yes
ProtectProc=noaccess
# Needed to resolve symbols
# ProcSubset=pid
# Needed to resolve symbols
# ProcSubset=pid
SystemCallArchitectures=native
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
UMask=0077
IPAddressDeny=any
# SystemCallFilter are probably useless, but they keep systemd-analyze happy
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
# @debug includes perf_event_open, which is needed for kprobes and uprobes:
# * https://github.com/libbpf/libbpf/blob/v1.2.0/src/libbpf.c#L10047
# SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@resources
SystemCallFilter=~@swap
# Needed for bpf()
# SystemCallFilter=~@privileged
AmbientCapabilities=CAP_BPF CAP_PERFMON CAP_SYSLOG
CapabilityBoundingSet=CAP_BPF CAP_PERFMON CAP_SYSLOG

It keeps systemd-analyze security pretty happy:

$ sudo systemd-analyze security ebpf_exporter.service | grep -v ✓
  NAME                                                        DESCRIPTION                                                                                         EXPOSURE
✗ SystemCallFilter=~@privileged                               System call deny list defined for service, and @privileged is not included (e.g. fchown is allowed)      0.2
✗ AmbientCapabilities=                                        Service process receives ambient capabilities                                                            0.1
✗ ProtectKernelLogs=                                          Service may read from or write to the kernel log ring buffer                                             0.2
✗ ProtectKernelTunables=                                      Service may alter kernel tunables                                                                        0.2
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)                                       0.1
✗ PrivateUsers=                                               Service has access to other users                                                                        0.2
✗ CapabilityBoundingSet=~CAP_SYSLOG                           Service has access to kernel logging                                                                     0.1
✗ DeviceAllow=                                                Service has a device ACL with some special devices: char-rtc:r                                           0.1
✗ ProtectProc=                                                                                                                                                         0.1

→ Overall exposure level for ebpf_exporter.service: 1.0 OK 🙂