From 5b3db10409f7735596218d9ed9bfd8f00a7b9578 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Thu, 21 Nov 2024 17:15:19 +0100
Subject: [PATCH 1/3] chore(decl/caps): add capabilities manipulation package

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 go.mod                       |   2 +
 go.sum                       |   4 ++
 pkg/capability/capability.go | 109 +++++++++++++++++++++++++++++++++++
 pkg/capability/doc.go        |  17 ++++++
 4 files changed, 132 insertions(+)
 create mode 100644 pkg/capability/capability.go
 create mode 100644 pkg/capability/doc.go

diff --git a/go.mod b/go.mod
index 56ecca40..c950549f 100644
--- a/go.mod
+++ b/go.mod
@@ -29,6 +29,7 @@ require (
 	k8s.io/cli-runtime v0.31.1
 	k8s.io/client-go v0.31.1
 	k8s.io/kubectl v0.31.1
+	kernel.org/pub/linux/libs/security/libcap/cap v1.2.72
 )
 
 // avoid indirect dependency mergo error:
@@ -122,6 +123,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38 // indirect
 	k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.72 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.17.3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.17.2 // indirect
diff --git a/go.sum b/go.sum
index 58f7d160..d2ceceae 100644
--- a/go.sum
+++ b/go.sum
@@ -416,6 +416,10 @@ k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24=
 k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM=
 k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3 h1:b2FmK8YH+QEwq/Sy2uAEhmqL5nPfGYbJOcaqjeYYZoA=
 k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.72 h1:SqLZbTqwcNxctcdM5yb6OcO3lFJNtRgDJoFeca+5hP0=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.72/go.mod h1:DqOj+O+b5nV0YW49IVU6WlhVw0oHpC1LmerDRHvcbjE=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.72 h1:Lnu8woGlvNdwCbBa5urxGO+L5gp647lIZMg0vP+upuU=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.72/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/kustomize/api v0.17.3 h1:6GCuHSsxq7fN5yhF2XrC+AAr8gxQwhexgHflOAD/JJU=
diff --git a/pkg/capability/capability.go b/pkg/capability/capability.go
new file mode 100644
index 00000000..5b652c5c
--- /dev/null
+++ b/pkg/capability/capability.go
@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package capability
+
+import (
+	"fmt"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+	"kernel.org/pub/linux/libs/security/libcap/cap"
+)
+
+// Parse the provided capabilities string and returns the parsed capability state. The provided capabilities must be
+// encoded using the syntax specified in cap_from_text(3).
+func Parse(capabilities string) (*cap.Set, error) {
+	return cap.FromText(capabilities)
+}
+
+// RunWithSecBitNoRootEnabled runs the provided function with the thread secure bit SECBIT_NOROOT enabled.
+func RunWithSecBitNoRootEnabled(f func() error) (err error) {
+	runtime.LockOSThread()
+	secureBits, err := unix.PrctlRetInt(unix.PR_GET_SECUREBITS, 0, 0, 0, 0)
+	if err != nil {
+		return fmt.Errorf("error retrieving thread secure bits: %w", err)
+	}
+
+	secureBitsPlusSecBitNoRoot := secureBits | int(cap.SecbitNoRoot)
+	if secureBits == secureBitsPlusSecBitNoRoot {
+		return runFuncAndWrapErr(f)
+	}
+
+	if err := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBitsPlusSecBitNoRoot), 0, 0, 0); err != nil {
+		return fmt.Errorf("error setting thread secure bits: %w", err)
+	}
+	defer func() {
+		if e := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBits), 0, 0, 0); e != nil {
+			e = fmt.Errorf("error restoring secure bits: %w", err)
+			if err != nil {
+				err = fmt.Errorf("%w; %w", err, e)
+			} else {
+				err = e
+			}
+		}
+	}()
+
+	return runFuncAndWrapErr(f)
+}
+
+// RunWithSecBitNoRootDisabled runs the provided function with the thread secure bit SECBIT_NOROOT disable.
+func RunWithSecBitNoRootDisabled(f func() error) (err error) {
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+	secureBits, err := unix.PrctlRetInt(unix.PR_GET_SECUREBITS, 0, 0, 0, 0)
+	if err != nil {
+		return fmt.Errorf("error retrieving thread secure bits: %w", err)
+	}
+
+	secureBitsMinusSecBitNoRoot := secureBits & ^int(cap.SecbitNoRoot)
+	if secureBits == secureBitsMinusSecBitNoRoot {
+		return runFuncAndWrapErr(f)
+	}
+
+	if err := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBitsMinusSecBitNoRoot), 0, 0, 0); err != nil {
+		return fmt.Errorf("error setting thread secure bits: %w", err)
+	}
+	defer func() {
+		if e := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBits), 0, 0, 0); e != nil {
+			e = fmt.Errorf("error restoring secure bits: %w", err)
+			if err != nil {
+				err = fmt.Errorf("%w; %w", err, e)
+			} else {
+				err = e
+			}
+		}
+	}()
+
+	return runFuncAndWrapErr(f)
+}
+
+// runFuncAndWrapErr runs the provided function and wraps the returned error with FuncError.
+func runFuncAndWrapErr(f func() error) error {
+	if err := f(); err != nil {
+		return &FuncError{err: err}
+	}
+	return nil
+}
+
+// FuncError wraps the error produced by the execution of the function provided to RunWithSecBitNoRootEnabled and
+// RunWithSecBitNoRootDisabled.
+type FuncError struct {
+	err error
+}
+
+func (e *FuncError) Error() string {
+	return e.err.Error()
+}
diff --git a/pkg/capability/doc.go b/pkg/capability/doc.go
new file mode 100644
index 00000000..249f6d07
--- /dev/null
+++ b/pkg/capability/doc.go
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package capability provides utilities for capabilities manipulation.
+package capability

From 955486ad7e0067707a06e9e67510c79e9315affd Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Thu, 21 Nov 2024 17:27:18 +0100
Subject: [PATCH 2/3] feat(decl/loader): add user and capabilities fields YAML
 definition

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/test/loader/loader.go | 52 +++++++++++++++++++++++++++++----------
 1 file changed, 39 insertions(+), 13 deletions(-)

diff --git a/pkg/test/loader/loader.go b/pkg/test/loader/loader.go
index c3d9fd98..1fb924bc 100644
--- a/pkg/test/loader/loader.go
+++ b/pkg/test/loader/loader.go
@@ -74,25 +74,16 @@ func (c *Description) validate() error {
 
 	for testIndex := range c.Tests {
 		test := &c.Tests[testIndex]
-		if err := validateNameUniqueness(test); err != nil {
+		if err := test.validateNameUniqueness(); err != nil {
 			return fmt.Errorf("error validating name uniqueness in test %q (index: %d): %w", test.Name,
 				testIndex, err)
 		}
-	}
-
-	return nil
-}
 
-// validateNameUniqueness validates that names used for test resources and steps are unique.
-func validateNameUniqueness(test *Test) error {
-	for resourceIndex, testResource := range test.Resources {
-		for stepIndex, testStep := range test.Steps {
-			if testStep.Name == testResource.Name {
-				return fmt.Errorf("test resource %d and test step %d have the same name %q", resourceIndex,
-					stepIndex, testResource.Name)
-			}
+		if err := test.validateContext(); err != nil {
+			return fmt.Errorf("error validating test context: %w", err)
 		}
 	}
+
 	return nil
 }
 
@@ -110,6 +101,35 @@ type Test struct {
 	ExpectedOutcome TestExpectedOutcome `yaml:"expectedOutcome"`
 }
 
+// validateNameUniqueness validates that names used for test resources and steps are unique.
+func (t *Test) validateNameUniqueness() error {
+	for resourceIndex, testResource := range t.Resources {
+		for stepIndex, testStep := range t.Steps {
+			if testStep.Name == testResource.Name {
+				return fmt.Errorf("test resource at index %d and test step at index %d have the same name %q",
+					resourceIndex, stepIndex, testResource.Name)
+			}
+		}
+	}
+	return nil
+}
+
+// validateContext validates that names used for test resources and steps are unique.
+func (t *Test) validateContext() error {
+	processes := t.Context.Processes
+	processesLen := len(processes)
+	if processesLen <= 1 {
+		return nil
+	}
+
+	for processIndex, process := range processes[:processesLen-1] {
+		if process.Capabilities != nil && *process.Capabilities != "" {
+			return fmt.Errorf("process at index %d specifies capabilities but is not the leaf process", processIndex)
+		}
+	}
+	return nil
+}
+
 // TestRunnerType is the type of test runner.
 type TestRunnerType string
 
@@ -163,6 +183,12 @@ type ProcessContext struct {
 	Name *string `yaml:"name,omitempty" validate:"omitempty,min=1"`
 	// Env is the set of environment variables that must be provided to the process (in addition to the default ones).
 	Env map[string]string `yaml:"env,omitempty" validate:"omitempty,min=1"`
+	// User is the name of the user that must run the process. If omitted, the current process user is used. If the user
+	// does not exist, it is created before running the test and deleted after test execution.
+	User *string `yaml:"user,omitempty" validate:"omitempty,min=1"`
+	// Capabilities are the capabilities of the process. The syntax follows the conventions specified by
+	// cap_from_text(3). If omitted or empty, it defaults to "all=iep".
+	Capabilities *string `yaml:"capabilities,omitempty" validate:"omitempty,min=1"`
 }
 
 // TestResource describes a test resource.

From 0d1d4891add03961479828ca37bb995e50a0dc2c Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Thu, 21 Nov 2024 17:45:45 +0100
Subject: [PATCH 3/3] feat(decl/proc-chain): add user and capabilities support

Add the capability to specify the user and the linux capabilities
a process in the process chain can be run with. Capabilities can
only be specified for the leaf process. Omitting capabilities is
equivalent to specify 'all=iep'. Each process in the chain runs
with real user/group ID equals to 0 (root). Specifying a user sets
the effective and the saved set-user/group-ID to the corresponding
user/group IDs. If a user specified in the chain doesn't exist, it
is created before running the test and deleted after test
execution. The securebit SECBBIT_NOROOT is enabled before creating
any child process: this is done in order to prevent the kernel from
ignoring the specified capabilities when the real user ID is zero
(see 'Capabilities and execution of programs by root' in
capabilities(7)). Users who wish to run the before and after script
or creating a 'process' test resource  must take into account to
provide at least CAP_SETPCAP in its permitted and effective set.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/capability/capability.go   |  47 +++---
 pkg/process/process.go         | 282 +++++++++++++++++++++++++++++----
 pkg/test/runner/host/host.go   |  25 ++-
 pkg/test/script/shell/shell.go |   9 +-
 4 files changed, 301 insertions(+), 62 deletions(-)

diff --git a/pkg/capability/capability.go b/pkg/capability/capability.go
index 5b652c5c..7f150686 100644
--- a/pkg/capability/capability.go
+++ b/pkg/capability/capability.go
@@ -16,6 +16,7 @@
 package capability
 
 import (
+	"errors"
 	"fmt"
 	"runtime"
 
@@ -30,7 +31,7 @@ func Parse(capabilities string) (*cap.Set, error) {
 }
 
 // RunWithSecBitNoRootEnabled runs the provided function with the thread secure bit SECBIT_NOROOT enabled.
-func RunWithSecBitNoRootEnabled(f func() error) (err error) {
+func RunWithSecBitNoRootEnabled(f func() error) error {
 	runtime.LockOSThread()
 	secureBits, err := unix.PrctlRetInt(unix.PR_GET_SECUREBITS, 0, 0, 0, 0)
 	if err != nil {
@@ -38,29 +39,11 @@ func RunWithSecBitNoRootEnabled(f func() error) (err error) {
 	}
 
 	secureBitsPlusSecBitNoRoot := secureBits | int(cap.SecbitNoRoot)
-	if secureBits == secureBitsPlusSecBitNoRoot {
-		return runFuncAndWrapErr(f)
-	}
-
-	if err := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBitsPlusSecBitNoRoot), 0, 0, 0); err != nil {
-		return fmt.Errorf("error setting thread secure bits: %w", err)
-	}
-	defer func() {
-		if e := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBits), 0, 0, 0); e != nil {
-			e = fmt.Errorf("error restoring secure bits: %w", err)
-			if err != nil {
-				err = fmt.Errorf("%w; %w", err, e)
-			} else {
-				err = e
-			}
-		}
-	}()
-
-	return runFuncAndWrapErr(f)
+	return runWithSecBits(f, secureBits, secureBitsPlusSecBitNoRoot)
 }
 
-// RunWithSecBitNoRootDisabled runs the provided function with the thread secure bit SECBIT_NOROOT disable.
-func RunWithSecBitNoRootDisabled(f func() error) (err error) {
+// RunWithSecBitNoRootDisabled runs the provided function with the thread secure bit SECBIT_NOROOT disabled.
+func RunWithSecBitNoRootDisabled(f func() error) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 	secureBits, err := unix.PrctlRetInt(unix.PR_GET_SECUREBITS, 0, 0, 0, 0)
@@ -69,16 +52,28 @@ func RunWithSecBitNoRootDisabled(f func() error) (err error) {
 	}
 
 	secureBitsMinusSecBitNoRoot := secureBits & ^int(cap.SecbitNoRoot)
-	if secureBits == secureBitsMinusSecBitNoRoot {
+	return runWithSecBits(f, secureBits, secureBitsMinusSecBitNoRoot)
+}
+
+// runWithSecBits runs the provided function with the new secure bits set, and restores the old secure bits set at the
+// end of its execution.
+func runWithSecBits(f func() error, oldSecBits, newSecBits int) (err error) {
+	if oldSecBits == newSecBits {
 		return runFuncAndWrapErr(f)
 	}
 
-	if err := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBitsMinusSecBitNoRoot), 0, 0, 0); err != nil {
+	if err := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(newSecBits), 0, 0, 0); err != nil {
+		if errors.Is(err, unix.EPERM) {
+			err = fmt.Errorf("%w (consider adding the CAP_SETPCAP capability)", err)
+		}
 		return fmt.Errorf("error setting thread secure bits: %w", err)
 	}
 	defer func() {
-		if e := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(secureBits), 0, 0, 0); e != nil {
-			e = fmt.Errorf("error restoring secure bits: %w", err)
+		if e := unix.Prctl(unix.PR_SET_SECUREBITS, uintptr(oldSecBits), 0, 0, 0); e != nil {
+			if errors.Is(e, unix.EPERM) {
+				e = fmt.Errorf("%w (consider adding the CAP_SETPCAP capability)", e)
+			}
+			e = fmt.Errorf("error restoring thread secure bits: %w", e)
 			if err != nil {
 				err = fmt.Errorf("%w; %w", err, e)
 			} else {
diff --git a/pkg/process/process.go b/pkg/process/process.go
index f03c933c..a74e1e37 100644
--- a/pkg/process/process.go
+++ b/pkg/process/process.go
@@ -19,14 +19,18 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"regexp"
+	"strconv"
 
 	"github.com/go-logr/logr"
 	"golang.org/x/sys/unix"
 
+	"github.com/falcosecurity/event-generator/pkg/capability"
 	"github.com/falcosecurity/event-generator/pkg/random"
 )
 
@@ -38,10 +42,18 @@ type Process struct {
 	// simExePath is the "simulated" executable path. This sets the executable path accessible through
 	// `readlink -f /proc/<pid/exepath` for the started process. If empty, it is randomly generated.
 	simExePath string
+	// username is the name of the user that must run the process. If empty, the current process user is used. If the
+	// specified user does not exist, it is created before running the test and deleted after test execution.
+	username string
+	// capabilities are the capabilities that must be set on the process executable file. The syntax follows the
+	// conventions specified by cap_from_text(3). Notice: an empty string defaults to 'all=iep'.
+	capabilities string
 	// cmd is the underlying command object.
 	cmd *exec.Cmd
 	// started is true if the process has been started; false otherwise.
 	started bool
+	// userCreated is true if the user has been created; false otherwise.
+	userCreated bool
 }
 
 // Description describes a process.
@@ -62,6 +74,12 @@ type Description struct {
 	Args string
 	// Env is the list of environment variables that must be provided to the process.
 	Env []string
+	// Username is the name of the user that must run the process. If empty, the current process user is used. If the
+	// specified user does not exist, it is created before running the test and deleted after test execution.
+	Username string
+	// Capabilities are the capabilities that must be set on the process executable file. The syntax follows the
+	// conventions specified by cap_from_text(3). Notice: an empty string defaults to 'all=iep'.
+	Capabilities string
 }
 
 var (
@@ -69,6 +87,8 @@ var (
 	defaultSimExePathPrefix = filepath.Join(os.TempDir(), "event-generator")
 )
 
+var allCaps = "all=iep"
+
 // New creates a new process.
 func New(ctx context.Context, procDesc *Description) *Process {
 	// If the user doesn't provide an executable path, we must generate a random path.
@@ -98,6 +118,14 @@ func New(ctx context.Context, procDesc *Description) *Process {
 		procArg0 = filepath.Base(exePath)
 	}
 
+	// If the user doesn't provide capabilities, we default them.
+	var capabilities string
+	if procDesc.Capabilities != "" {
+		capabilities = procDesc.Capabilities
+	} else {
+		capabilities = allCaps
+	}
+
 	// Evaluate process arguments.
 	procArgs := splitArgs(procDesc.Args)
 
@@ -108,11 +136,13 @@ func New(ctx context.Context, procDesc *Description) *Process {
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	proc := &Process{
-		logger:     procDesc.Logger,
-		command:    procDesc.Command,
-		simExePath: simExePath,
-		cmd:        cmd,
-		started:    false,
+		logger:       procDesc.Logger,
+		command:      procDesc.Command,
+		simExePath:   simExePath,
+		username:     procDesc.Username,
+		capabilities: capabilities,
+		cmd:          cmd,
+		started:      false,
 	}
 	return proc
 }
@@ -151,19 +181,72 @@ func (p *Process) Start() (err error) {
 		return fmt.Errorf("error retrieving command path: %w", err)
 	}
 
-	// Create a hard link to the provided command path, named as specified by the user.
-	simExePath := p.simExePath
-	if err := os.Link(commandPath, simExePath); err != nil {
-		return fmt.Errorf("error creating process executable: %w", err)
-	}
-	defer func() {
+	// Determine if the process must be run by the current user/group or not. If a user different from the current one
+	// is requested to run it, the user is created at this stage, and deleted after the new process resources are
+	// released.
+	changeOwnership := false
+	userCreated := false
+	var procUID, procGID int
+	if username := p.username; username != "" {
+		userCreated, procUID, procGID, err = p.findOrCreateUser(username)
 		if err != nil {
-			if err := os.Remove(simExePath); err != nil {
-				p.logger.Error(err, "Error deleting process executable", "path", simExePath)
+			return fmt.Errorf("error finding or creating user %q: %w", username, err)
+		}
+
+		logger := p.logger.WithValues("user", username, "uid", procUID, "gid", procGID)
+		if userCreated {
+			defer p.deleteUserIfErr(username, &err)
+			logger.V(1).Info("Created user")
+		} else {
+			logger.V(1).Info("Found user")
+		}
+
+		// The current executable must be run with real IDs set to 0, so compare the obtained IDs with the effective
+		// ones instead of the real ones.
+		changeOwnership = procUID != os.Geteuid() || procGID != os.Getegid()
+	}
+
+	capabilities := p.capabilities
+	changeCapabilities := capabilities != allCaps
+
+	// Create the simulated executable file. It is either a hard link or a copy of the original command path, depending
+	// on the fact that it is required to change the file ownership/capabilities or not.
+	simExePath := p.simExePath
+	if changeOwnership || changeCapabilities {
+		// We are going to manipulate the file ownership and capabilities, so create a copy of the original instead of
+		// modifying the original one.
+		if err := copyFile(commandPath, simExePath); err != nil {
+			return fmt.Errorf("error copying process executable: %w", err)
+		}
+		defer p.removeFileIfErr(simExePath, &err)
+		p.logger.V(1).Info("Created process executable", "path", simExePath)
+
+		if changeOwnership {
+			if err := os.Chown(simExePath, procUID, procGID); err != nil {
+				return fmt.Errorf("error changing process executable ownership to %d:%d: %w", procUID, procGID, err)
 			}
 		}
-	}()
-	p.logger.V(1).Info("Created process executable", "path", simExePath)
+
+		if err := p.setFileCapabilities(simExePath, capabilities); err != nil {
+			return fmt.Errorf("error setting process executable file capabilities to %q: %w", capabilities, err)
+		}
+
+		if changeOwnership {
+			if err := os.Chmod(simExePath, 0o555|os.ModeSetuid|os.ModeSetgid); err != nil {
+				return fmt.Errorf("error changing process executable file mode: %w", err)
+			}
+		}
+	} else {
+		if err := os.Link(commandPath, simExePath); err != nil {
+			return fmt.Errorf("error creating process executable: %w", err)
+		}
+		defer p.removeFileIfErr(simExePath, &err)
+		p.logger.V(1).Info("Created process executable", "path", simExePath)
+
+		if err := p.setFileCapabilities(simExePath, capabilities); err != nil {
+			return fmt.Errorf("error setting process executable file capabilities to %q: %w", capabilities, err)
+		}
+	}
 
 	// If the user specified a custom process name, we will run the executable through a symbolic link, so create it.
 	exePath := p.cmd.Path
@@ -172,25 +255,160 @@ func (p *Process) Start() (err error) {
 			return fmt.Errorf("error creating symlink %q to process executable %q: %w", exePath, simExePath,
 				err)
 		}
-		defer func() {
-			if err != nil {
-				if err := os.Remove(exePath); err != nil {
-					p.logger.Error(err, "Error deleting symlink to process executable", "symlink", exePath)
-				}
-			}
-		}()
+		defer p.removeFileIfErr(exePath, &err)
+		p.logger.V(1).Info("Created symlink to process executable", "path", simExePath, "symlink", exePath)
 	}
-	p.logger.V(1).Info("Created symlink to process executable", "path", simExePath, "symlink", exePath)
 
-	// Run the process.
-	if err := p.cmd.Start(); err != nil {
+	// Run the executable but prevent the kernel from ignoring file capabilities when real/effective user ID is 0 (see
+	// 'Capabilities and execution of programs by root' in capabilities(7)).
+	// Notice: secure bits are inherited by child process, so whatever process is going to be spawned by our child will
+	// not inherit root privileges if our child doesn't clear the SECBIT_NOROOT first.
+	if err := capability.RunWithSecBitNoRootEnabled(p.cmd.Start); err != nil {
 		return err
 	}
 
 	p.started = true
+	p.userCreated = userCreated
 	return nil
 }
 
+// findOrCreateUser finds or creates the user with the provided username. It returns information about the user.
+func (p *Process) findOrCreateUser(username string) (created bool, uid, gid int, err error) {
+	if uid, gid, err = getUserIDs(username); err == nil {
+		return false, uid, gid, nil
+	}
+
+	var unknownUserErr user.UnknownUserError
+	if !errors.As(err, &unknownUserErr) {
+		return false, 0, 0, fmt.Errorf("error retrieving user id: %w", err)
+	}
+
+	// User does not exist, create it.
+	if err := addUser(username); err != nil {
+		_ = delUser(username) // addUser can leave an inconsistent state.
+		return false, 0, 0, fmt.Errorf("error creating user: %w", err)
+	}
+	defer p.deleteUserIfErr(username, &err)
+
+	// Retrieve the user ID of the created user.
+	if uid, gid, err = getUserIDs(username); err != nil {
+		return false, 0, 0, fmt.Errorf("error looking up for user after creation: %w", err)
+	}
+
+	return true, uid, gid, nil
+}
+
+// getUserIDs returns the user and group IDs of the user associated to the provided username.
+func getUserIDs(username string) (uid, gid int, err error) {
+	usr, err := user.Lookup(username)
+	if err != nil {
+		return 0, 0, fmt.Errorf("error looking up user %q: %w", username, err)
+	}
+
+	if uid, err = strconv.Atoi(usr.Uid); err != nil {
+		return 0, 0, fmt.Errorf("error parsing user uid %q: %w", usr.Uid, err)
+	}
+
+	if gid, err = strconv.Atoi(usr.Gid); err != nil {
+		return 0, 0, fmt.Errorf("error parsing user gid %q: %w", usr.Gid, err)
+	}
+
+	return uid, gid, nil
+}
+
+// addUser creates a user with the given username.
+func addUser(username string) error {
+	return capability.RunWithSecBitNoRootDisabled(func() error {
+		return exec.Command("sh", "-c", fmt.Sprintf("useradd %q", username)).Run() //nolint:gosec // Disable G204
+	})
+}
+
+// delUser deletes the user with the given username.
+func delUser(username string) error {
+	return capability.RunWithSecBitNoRootDisabled(func() error {
+		return exec.Command("sh", "-c", fmt.Sprintf("userdel %q", username)).Run() //nolint:gosec // Disable G204
+	})
+}
+
+// deleteUserIfErr deletes the user associated to the provided username if the provided error pointer points to an
+// error.
+func (p *Process) deleteUserIfErr(username string, err *error) { //nolint:gocritic // Disable ptrToRefParam
+	if *err != nil {
+		if err := delUser(username); err != nil {
+			p.logger.Error(err, "Error deleting user", "user", username)
+		}
+	}
+}
+
+// copyFile copies the file at src to dst.
+func copyFile(src, dst string) (err error) {
+	srcFile, err := os.Open(src) //nolint:gosec // Disable G304
+	if err != nil {
+		return fmt.Errorf("error opening source file: %w", err)
+	}
+	defer func() {
+		if e := srcFile.Close(); e != nil {
+			e := fmt.Errorf("error closing source file: %w", e)
+			if err != nil {
+				err = fmt.Errorf("%w; %w", err, e)
+			} else {
+				err = e
+			}
+		}
+	}()
+
+	dstFile, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE, 0o755) //nolint:gosec // Disable G304
+	if err != nil {
+		return fmt.Errorf("error creating destination file: %w", err)
+	}
+	defer func() {
+		if e := dstFile.Close(); e != nil {
+			e := fmt.Errorf("error closing destination file: %w", e)
+			if err != nil {
+				err = fmt.Errorf("%w; %w", err, e)
+			} else {
+				err = e
+			}
+		}
+	}()
+
+	if _, err := io.Copy(dstFile, srcFile); err != nil {
+		return fmt.Errorf("error copying data: %w", err)
+	}
+
+	return nil
+}
+
+// removeFileIfErr removes the file at the provided file path if the provided error pointer points to an error.
+func (p *Process) removeFileIfErr(filePath string, err *error) { //nolint:gocritic // Disable ptrToRefParam
+	if *err != nil {
+		if err := os.Remove(filePath); err != nil {
+			p.logger.Error(err, "Error deleting file", "path", filePath)
+		}
+	}
+}
+
+// setFileCapabilities sets the capability state of the file at the provided file path to the value obtained parsing
+// the provided capability string.
+func (p *Process) setFileCapabilities(filePath, capabilities string) error {
+	caps, err := capability.Parse(capabilities)
+	if err != nil {
+		return fmt.Errorf("error parsing capabilities: %w", err)
+	}
+
+	file, err := os.Open(filePath) //nolint:gosec // Disable G304
+	if err != nil {
+		return fmt.Errorf("error opening file: %w", err)
+	}
+	defer func() {
+		if err := file.Close(); err != nil {
+			p.logger.Error(err, "Error closing executable after setting capabilities")
+		}
+	}()
+
+	return caps.SetFd(file)
+}
+
 var errProcessNotStarted = fmt.Errorf("process not started")
 
 // Wait waits for process to exit and releases the related resources.
@@ -235,12 +453,22 @@ func (p *Process) Kill() error {
 
 // releaseResources releases the resources associated to the process, such as created executables.
 func (p *Process) releaseResources() {
-	simExePath := p.simExePath
-	exePath := p.cmd.Path
 	defer func() {
 		p.started = false
+		p.userCreated = false
 	}()
 
+	username := p.username
+	if p.userCreated {
+		if err := delUser(username); err != nil {
+			p.logger.Error(err, "Error deleting user", "user", username)
+		} else {
+			p.logger.V(1).Info("Deleted user", "user", username)
+		}
+	}
+
+	simExePath := p.simExePath
+	exePath := p.cmd.Path
 	if simExePath != exePath {
 		if err := os.Remove(exePath); err != nil {
 			p.logger.Error(err, "Error deleting symlink to process executable", "symlink", exePath)
diff --git a/pkg/test/runner/host/host.go b/pkg/test/runner/host/host.go
index ebeb9fe0..c7b402b7 100644
--- a/pkg/test/runner/host/host.go
+++ b/pkg/test/runner/host/host.go
@@ -119,7 +119,7 @@ func (r *hostRunner) delegateToChild(ctx context.Context, testID string, testInd
 		return fmt.Errorf("error retrieving the current process executable path: %w", err)
 	}
 
-	var simExePath, name, arg0, args string
+	var simExePath, name, arg0, args, username, capabilities string
 	if firstProcess.ExePath != nil {
 		simExePath = *firstProcess.ExePath
 	}
@@ -132,16 +132,25 @@ func (r *hostRunner) delegateToChild(ctx context.Context, testID string, testInd
 	if firstProcess.Args != nil {
 		args = *firstProcess.Args
 	}
+	if firstProcess.User != nil {
+		username = *firstProcess.User
+	}
+	if firstProcess.Capabilities != nil {
+		capabilities = *firstProcess.Capabilities
+	}
 	procDesc := &process.Description{
-		Logger:     r.logger,
-		Command:    currentExePath,
-		SimExePath: simExePath,
-		Name:       name,
-		Arg0:       arg0,
-		Args:       args,
-		Env:        procEnv,
+		Logger:       r.logger.WithName("process"),
+		Command:      currentExePath,
+		SimExePath:   simExePath,
+		Name:         name,
+		Arg0:         arg0,
+		Args:         args,
+		Env:          procEnv,
+		Username:     username,
+		Capabilities: capabilities,
 	}
 	proc := process.New(ctx, procDesc)
+	// Run the child process and wait for it.
 	if err := proc.Start(); err != nil {
 		return fmt.Errorf("error starting child process: %w", err)
 	}
diff --git a/pkg/test/script/shell/shell.go b/pkg/test/script/shell/shell.go
index c7998ea3..796de40c 100644
--- a/pkg/test/script/shell/shell.go
+++ b/pkg/test/script/shell/shell.go
@@ -18,6 +18,7 @@ package shell
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os/exec"
@@ -27,6 +28,7 @@ import (
 	"github.com/go-logr/logr"
 	"golang.org/x/sys/unix"
 
+	"github.com/falcosecurity/event-generator/pkg/capability"
 	"github.com/falcosecurity/event-generator/pkg/test"
 )
 
@@ -109,7 +111,12 @@ func (s *shellScript) RunBefore(ctx context.Context) (func(context.Context) erro
 	waitSignalCh = takeFirstWaitSignal(waitSignalCh)
 	consumeScriptStderrLog(s.logger, stderrLogLinesCh)
 
-	if err := cmd.Start(); err != nil {
+	if err := capability.RunWithSecBitNoRootDisabled(cmd.Start); err != nil {
+		var funcErr *capability.FuncError
+		if !errors.As(err, &funcErr) {
+			_ = stdoutPipe.Close()
+			_ = stderrPipe.Close()
+		}
 		cancel()
 		wg.Wait()
 		return nil, fmt.Errorf("error starting before script: %w", err)