Podman team is interested in this tool or something similar. #1
Description
We would like to add this functionality similar to oci-seccomp-bpf-hook and allow users to gather this information about capabilities as well as syscalls.
We kind of like the idea of learning mode, where the container can run in production mode for a few months gathering all of the capabilities. Once users are happy with the container, then they can switch it to enforcing mode, and only allow the previously gathered capabilities (or syscalls). Now I would want to keep the scanner going to watch for failed capabilities.
I even think this would be a good debugging code to allow users to figure out why a container is getting permission denied.
Currently seccomp and SELinux at least print messages in the audit.log when something is denied, there is no such mechanism for Capabilities.
Where is the output of this tool written, can you run it in permissive mode?