refa: remove cap_sys_chroot

Dockerfile

@@ -20,7 +20,7 @@ COPY . .
 
 
 RUN --mount=type=cache,target="/root/.cache/go-build" GOCACHE=/root/.cache/go-build GOOS=$TARGETOS GOARCH=$TARGETARCH goreleaser build --snapshot="${BUILD_SNAPSHOT}" --single-target -o extension \
-    && setcap "cap_setuid,cap_sys_chroot,cap_setgid,cap_sys_admin,cap_dac_override+eip" ./extension
+    && setcap "cap_setuid,cap_setgid,cap_sys_admin,cap_dac_override+eip" ./extension
 ##
 ## Runtime
 ##

README.md

@@ -34,7 +34,6 @@ When installed as linux package this configuration is in`/etc/steadybit/extensio
 The capabilities needed by this extension are: (which are provided by the helm chart)
 
 - SYS_ADMIN
-- SYS_CHROOT
 - SYS_PTRACE
 - NET_ADMIN
 - NET_BIND_SERVICE
@@ -121,7 +120,7 @@ runtime socket.
 
 Resource attacks starting stress-ng processes, the network attacks are starting ip or tc processes as runc container
 reusing the target container's linux namespace(s), control group(s) and user.
-This requires the following capabilities: CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE
+This requires the following capabilities: CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE
 CAP_DAC_OVERRIDE, CAP_SETUID, CAP_SETGID, CAP_AUDIT_WRITE, CAP_KILL.
 The CAP_SYS_RESOURCE is optional. We'd recommend it to be used otherwise the resource attacks are more likely to be
 oomkilled by the kernel and are failing to carry out the attack.

charts/steadybit-extension-container/tests/__snapshot__/daemonset_test.yaml.snap

@@ -81,7 +81,6 @@ manifest should match snapshot using containerd and using resource limits:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -211,7 +210,6 @@ manifest should match snapshot using crio using podAnnotations and Labels:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -339,7 +337,6 @@ manifest should match snapshot using docker:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -471,7 +468,6 @@ manifest should match snapshot with TLS:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -607,7 +603,6 @@ manifest should match snapshot with appArmorProfile for k8s >= 1.30:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -735,7 +730,6 @@ manifest should match snapshot with different containerPorts:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -865,7 +859,6 @@ manifest should match snapshot with discover all deployments:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1000,7 +993,6 @@ manifest should match snapshot with extra env vars:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1130,7 +1122,6 @@ manifest should match snapshot with extra labels:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1264,7 +1255,6 @@ manifest should match snapshot with mutual TLS:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1412,7 +1402,6 @@ manifest should match snapshot with mutual TLS using containerPaths:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1540,7 +1529,6 @@ manifest should match snapshot with podSecurityContext:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1669,7 +1657,6 @@ manifest should match snapshot with priority class:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE
@@ -1798,7 +1785,6 @@ manifest should match snapshot with update strategy:
                     - NET_BIND_SERVICE
                     - KILL
                     - SYS_ADMIN
-                    - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
                     - DAC_OVERRIDE

charts/steadybit-extension-container/tests/__snapshot__/scc_test.yaml.snap

@@ -36,7 +36,6 @@ forced rendering on kubernetes:
       - NET_BIND_SERVICE
       - KILL
       - SYS_ADMIN
-      - SYS_CHROOT
       - SYS_PTRACE
       - NET_ADMIN
       - DAC_OVERRIDE
@@ -93,7 +92,6 @@ rendering by default on openshift:
       - NET_BIND_SERVICE
       - KILL
       - SYS_ADMIN
-      - SYS_CHROOT
       - SYS_PTRACE
       - NET_ADMIN
       - DAC_OVERRIDE

charts/steadybit-extension-container/values.yaml

@@ -137,7 +137,6 @@ containerSecurityContext:
       - NET_BIND_SERVICE
       - KILL
       - SYS_ADMIN
-      - SYS_CHROOT
       - SYS_PTRACE
       - NET_ADMIN
       - DAC_OVERRIDE

linuxpkg/init.d/steadybit-extension-container

@@ -15,7 +15,7 @@
 
 SCRIPT=/opt/steadybit/extension-container/extension-container
 RUNAS=steadybit
-CAPS="CAP_SYS_ADMIN,CAP_SYS_CHROOT,CAP_SYS_RESOURCE,CAP_SYS_PTRACE,CAP_NET_ADMIN,CAP_DAC_OVERRIDE,CAP_SETUID,CAP_SETGID,CAP_AUDIT_WRITE"
+CAPS="CAP_SYS_ADMIN,CAP_SYS_RESOURCE,CAP_SYS_PTRACE,CAP_NET_ADMIN,CAP_DAC_OVERRIDE,CAP_SETUID,CAP_SETGID,CAP_AUDIT_WRITE"
 
 PIDFILE=/var/run/steadybit-extension-container.pid
 LOGFILE=/var/log/steadybit-extension-container.log

linuxpkg/systemd/steadybit-extension-container.service

@@ -13,7 +13,7 @@ Restart=on-failure
 RestartSec=5s
 StandardOutput=append:/var/log/steadybit-extension-container.log
 StandardError=append:/var/log/steadybit-extension-container.log
-AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_SYS_PTRACE CAP_KILL CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_AUDIT_WRITE
+AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYS_PTRACE CAP_KILL CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_AUDIT_WRITE
 
 [Install]
 WantedBy=multi-user.target