# Falco least privileged notes ## Capabilities To use the eBPF driver, Falco needs to be able to use the `bpf` syscall to load eBPF programs and create maps, and to open per-cpu ring buffers, which is done via the `perf` subsytem. Before kernel 5.8, the ability to perform these operations was bundled together under the `CAP_SYS_ADMIN` capability. To separate out BPF and perf functionalities from the overloaded `CAP_SYS_ADMIN` capability, the following two capabilities were introduced starting from kernel 5.8: - `CAP_BPF` - `CAP_PERFMON` Other important and (possibly) needed capabilities are: - `CAP_SYS_RESOURCE`: Falco needs this to call the `setrlimit` syscall. This syscall is used together with `RLIMIT_MEMLOCK` flag. Usually, this flag is used to set the amount of memory that can be mlocked into RAM, preventing a possible swap out. On kernel <5.11, eBPF uses locked memory for maps and other things. The default memory limit value is very low, so even a very simple eBPF program will fail to load due to this. The workaround is to increase the default value to something acceptable, so that maps and other stuff can be correctly mlocked in memory. After kernel 5.11 the accounting of memory for eBPF programs and maps is done via memory cgroups, so this capability is no more needed because there is no need to change that limit. You can dig deeper reading this [blog post](https://facebookmicrosites.github.io/bpf/blog/2020/02/20/bcc-to-libbpf-howto-guide.html#locked-memory-limits) and [patch]([/QMqHcyyOTCaengoSNEMK_A](https://lore.kernel.org/bpf/20201201215900.3569844-1-guro@fb.com/t/#u)). - `CAP_SYS_PTRACE`: Falco needs this capability because it accesses fields like `environ` in the proc file system, when it constucts the "state of the world" at initialization. The `/proc/<pid>/environ` pseudo file operations will retrieve the memory descriptor of the target process to access its memory and retrieve the environment variables. From the userspace standpoint the permission to do so is mapped to the `CAP_SYS_PTRACE` capability. For the curious reader, see [environ_open](https://elixir.bootlin.com/linux/latest/source/fs/proc/base.c#L937) and [environ_read]([/RxRcFcXYQVOG_PLdj_JGJA](https://elixir.bootlin.com/linux/latest/source/fs/proc/base.c#L942)) implementation in the kernel. Ultimately, `CAP_BPF`, `CAP_PERFMON`, `CAP_SYS_RESOURCE`, `CAP_SYS_PTRACE` should represent the minimum set of capabilities needed by Falco, but depending on the version of the container runtime of choice, `CAP_BPF` could not be correctly recognized. Unfortunately in this case, `CAP_SYS_ADMIN` is required instead.