stackrox · robbycochran · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
@@ -34,6 +34,7 @@ extern "C" {
 #include "CollectorVersion.h"
 #include "Control.h"
 #include "Diagnostics.h"
+#include "DropCapabilities.h"
 #include "EventNames.h"
 #include "FileSystem.h"
 #include "GRPC.h"
@@ -134,6 +135,21 @@ void RunService(CollectorConfig& config) {
 
   startup_diagnostics.Log();
 
+  // Drop capabilities no longer needed after BPF initialization.
+  // The main thread keeps BPF + PERFMON (runtime map lookups, potential
+  // capture restart) and SYS_PTRACE (/proc reads). Individual worker
+  // threads drop further in their own entry points.
+  auto kv = HostInfo::Instance().GetKernelVersion();
+  bool has_discrete_bpf = (kv.kernel > 5) || (kv.kernel == 5 && kv.major >= 8);
+
+  if (has_discrete_bpf) {
+    DropCapabilities({CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}, true);
+    CLOG(INFO) << "Dropped capabilities, keeping CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE";
+  } else {
+    DropCapabilities({CAP_SYS_ADMIN, CAP_SYS_PTRACE}, true);
+    CLOG(INFO) << "Kernel " << kv.release << " lacks discrete CAP_BPF, keeping CAP_SYS_ADMIN, CAP_SYS_PTRACE";
+  }
+
   collector.RunForever();
 }
 

@@ -5,6 +5,7 @@
 #include <math.h>
 
 #include "Containers.h"
+#include "DropCapabilities.h"
 #include "EventNames.h"
 #include "Logging.h"
 #include "Utility.h"
@@ -46,6 +47,8 @@ class CollectorTimerGauge {
 };
 
 void CollectorStatsExporter::run() {
+  collector::DropCapabilities({CAP_BPF});
+
   auto& collectorEventCounters = prometheus::BuildGauge()
                                      .Name("rox_collector_events")
                                      .Help("Collector events")

@@ -6,6 +6,7 @@
 
 #include "internalapi/sensor/collector.pb.h"
 
+#include "DropCapabilities.h"
 #include "EnvVar.h"
 #include "Logging.h"
 
@@ -527,6 +528,7 @@ sensor::CollectorConfig ConfigLoader::NewRuntimeConfig() {
 }
 
 void ConfigLoader::WatchFile() {
+  DropCapabilities({});
   const auto& file = parser_.GetFile();
 
   if (!inotify_.IsValid()) {

@@ -0,0 +1,35 @@
+#ifndef _DROP_CAPABILITIES_H_
+#define _DROP_CAPABILITIES_H_
+
+#include <initializer_list>
+
+extern "C" {
+#include <cap-ng.h>
+}
+
+#include "Logging.h"
+
+namespace collector {
+
+// Drop all Linux capabilities except those specified.
+// If clear_bounding is true, also clears the bounding set (requires
+// CAP_SETPCAP — use only on the first drop before other caps are lost).
+// Logs the result but does not abort on failure.
+inline void DropCapabilities(std::initializer_list<unsigned int> keep,
+                             bool clear_bounding = false) {
+  auto scope = clear_bounding ? CAPNG_SELECT_ALL : CAPNG_SELECT_CAPS;
+  capng_clear(scope);
+
+  auto caps = static_cast<capng_type_t>(CAPNG_EFFECTIVE | CAPNG_PERMITTED);
+  for (auto cap : keep) {
+    capng_update(CAPNG_ADD, caps, cap);
+  }
+
+  if (capng_apply(scope) != 0) {
+    CLOG(WARNING) << "Failed to drop capabilities";
+  }
+}
+
+}  // namespace collector
+
+#endif  // _DROP_CAPABILITIES_H_
@@ -3,6 +3,7 @@
 #include <google/protobuf/util/time_util.h>
 
 #include "CollectorStats.h"
+#include "DropCapabilities.h"
 #include "DuplexGRPC.h"
 #include "GRPCUtil.h"
 #include "Logging.h"
@@ -110,6 +111,7 @@ void NetworkStatusNotifier::ReceiveIPNetworks(const sensor::IPNetworkList& netwo
 }
 
 void NetworkStatusNotifier::Run() {
+  DropCapabilities({CAP_SYS_PTRACE});
   Profiler::RegisterCPUThread();
   auto next_attempt = std::chrono::system_clock::now();
 

@@ -2,6 +2,7 @@
 
 #include <fstream>
 
+#include "DropCapabilities.h"
 #include "GRPCUtil.h"
 #include "Logging.h"
 #include "ProtoUtil.h"
@@ -43,6 +44,7 @@ bool SignalServiceClient::EstablishGRPCStreamSingle() {
 }
 
 void SignalServiceClient::EstablishGRPCStream() {
+  DropCapabilities({});
   while (EstablishGRPCStreamSingle());
   CLOG(INFO) << "Signal service client terminating.";
 }