refa: remove cap_dac_override

Dockerfile

@@ -20,7 +20,7 @@ COPY . .
 
 
 RUN --mount=type=cache,target="/root/.cache/go-build" GOCACHE=/root/.cache/go-build GOOS=$TARGETOS GOARCH=$TARGETARCH goreleaser build --snapshot="${BUILD_SNAPSHOT}" --single-target -o extension \
-    && setcap "cap_setuid,cap_sys_chroot,cap_setgid,cap_sys_admin,cap_dac_override+eip" ./extension
+    && setcap "cap_setuid,cap_sys_chroot,cap_setgid,cap_sys_admin+eip" ./extension
 ##
 ## Runtime
 ##

README.md

@@ -38,7 +38,6 @@ The capabilities needed by this extension are: (which are provided by the helm c
 - SYS_PTRACE
 - NET_ADMIN
 - NET_BIND_SERVICE
-- DAC_OVERRIDE
 - SETUID
 - SETGID
 - KILL
@@ -122,7 +121,7 @@ runtime socket.
 Resource attacks starting stress-ng processes, the network attacks are starting ip or tc processes as runc container
 reusing the target container's linux namespace(s), control group(s) and user.
 This requires the following capabilities: CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE
-CAP_DAC_OVERRIDE, CAP_SETUID, CAP_SETGID, CAP_AUDIT_WRITE, CAP_KILL.
+CAP_SETUID, CAP_SETGID, CAP_AUDIT_WRITE, CAP_KILL.
 The CAP_SYS_RESOURCE is optional. We'd recommend it to be used otherwise the resource attacks are more likely to be
 oomkilled by the kernel and are failing to carry out the attack.
 The needed binaries are included in the extension container image.

charts/steadybit-extension-container/tests/__snapshot__/daemonset_test.yaml.snap

@@ -84,7 +84,6 @@ manifest should match snapshot using containerd and using resource limits:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -214,7 +213,6 @@ manifest should match snapshot using crio using podAnnotations and Labels:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -342,7 +340,6 @@ manifest should match snapshot using docker:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -474,7 +471,6 @@ manifest should match snapshot with TLS:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -610,7 +606,6 @@ manifest should match snapshot with appArmorProfile for k8s >= 1.30:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -738,7 +733,6 @@ manifest should match snapshot with different containerPorts:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -868,7 +862,6 @@ manifest should match snapshot with discover all deployments:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1003,7 +996,6 @@ manifest should match snapshot with extra env vars:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1133,7 +1125,6 @@ manifest should match snapshot with extra labels:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1267,7 +1258,6 @@ manifest should match snapshot with mutual TLS:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1415,7 +1405,6 @@ manifest should match snapshot with mutual TLS using containerPaths:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1543,7 +1532,6 @@ manifest should match snapshot with podSecurityContext:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1672,7 +1660,6 @@ manifest should match snapshot with priority class:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE
@@ -1801,7 +1788,6 @@ manifest should match snapshot with update strategy:
                     - SYS_CHROOT
                     - SYS_PTRACE
                     - NET_ADMIN
-                    - DAC_OVERRIDE
                     - SETUID
                     - SETGID
                     - AUDIT_WRITE

charts/steadybit-extension-container/tests/__snapshot__/scc_test.yaml.snap

@@ -39,7 +39,6 @@ forced rendering on kubernetes:
       - SYS_CHROOT
       - SYS_PTRACE
       - NET_ADMIN
-      - DAC_OVERRIDE
       - SETUID
       - SETGID
       - AUDIT_WRITE
@@ -96,7 +95,6 @@ rendering by default on openshift:
       - SYS_CHROOT
       - SYS_PTRACE
       - NET_ADMIN
-      - DAC_OVERRIDE
       - SETUID
       - SETGID
       - AUDIT_WRITE

charts/steadybit-extension-container/values.yaml

@@ -140,7 +140,6 @@ containerSecurityContext:
       - SYS_CHROOT
       - SYS_PTRACE
       - NET_ADMIN
-      - DAC_OVERRIDE
       - SETUID
       - SETGID
       - AUDIT_WRITE

linuxpkg/init.d/steadybit-extension-container

@@ -15,7 +15,7 @@
 
 SCRIPT=/opt/steadybit/extension-container/extension-container
 RUNAS=steadybit
-CAPS="CAP_SYS_ADMIN,CAP_SYS_CHROOT,CAP_SYS_RESOURCE,CAP_SYS_PTRACE,CAP_NET_ADMIN,CAP_DAC_OVERRIDE,CAP_SETUID,CAP_SETGID,CAP_AUDIT_WRITE"
+CAPS="CAP_SYS_ADMIN,CAP_SYS_CHROOT,CAP_SYS_RESOURCE,CAP_SYS_PTRACE,CAP_NET_ADMIN,CAP_SETUID,CAP_SETGID,CAP_AUDIT_WRITE"
 
 PIDFILE=/var/run/steadybit-extension-container.pid
 LOGFILE=/var/log/steadybit-extension-container.log

linuxpkg/systemd/steadybit-extension-container.service

@@ -13,7 +13,7 @@ Restart=on-failure
 RestartSec=5s
 StandardOutput=append:/var/log/steadybit-extension-container.log
 StandardError=append:/var/log/steadybit-extension-container.log
-AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_SYS_PTRACE CAP_KILL CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_AUDIT_WRITE
+AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_SYS_PTRACE CAP_KILL CAP_NET_ADMIN CAP_SETUID CAP_SETGID CAP_AUDIT_WRITE
 
 [Install]
 WantedBy=multi-user.target