logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

capable - Trace security capability checks (cap_capable()).

Contents

Author

       Brendan Gregg

Description

       This  traces  security  capability  checks  in  the kernel, and prints details for each call. This can be
       useful for general debugging, and also security enforcement: determining a white list of capabilities  an
       application needs.

       Since this uses BPF, only the root user can use this tool.

Examples

       Trace all capability checks system-wide:
              # capable

       Trace capability checks for PID 181:
              # capable-p181

       Trace capability checks in a set of cgroups only (see special_filtering.md
              from bcc sources for more details): # capable--cgroupmap/sys/fs/bpf/test01

Fields

       TIME(s)
              Time of capability check: HH:MM:SS.

       UID    User ID.

       PID    Process ID.

       COMM   Process name.  CAP Capability number.  NAME Capability name. See capabilities(7) for descriptions.

       AUDIT  Whether this was an audit event. Use -v to include non-audit events.  INSETID Whether the  INSETID
              bit was set (Linux >= 5.1).

Name

       capable - Trace security capability checks (cap_capable()).

Options

       -h USAGE message.

       -v     Include  non-audit  capability checks. These are those deemed not interesting and not necessary to
              audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit.

       -K     Include kernel stack traces to the output.

       -U     Include user-space stack traces to the output.

       -x     Show extra fields in TID and INSETID columns.

       --cgroupmap MAPPATH
              Trace cgroups in this BPF map only (filtered in-kernel).

       --mntnsmap  MAPPATH
              Trace mount namespaces in this BPF map only (filtered in-kernel).

       --unique
              Don't repeat stacks for the same PID or cgroup.

Os

       Linux

Overhead

       This  adds  low-overhead  instrumentation  to  capability checks, which are expected to be low frequency,
       however, that depends on the application. Test in a lab environment before use.

Requirements

       CONFIG_BPF, bcc.

See Also

capabilities(7)

USER COMMANDS                                      2020-03-08                                         capable(8)

Source

       This is from bcc.

              https://github.com/iovisor/bcc

       Also look in the bcc distribution for a companion _examples.txt file containing  example  usage,  output,
       and commentary for this tool.

Stability

       Unstable - in development.

Synopsis

capable[-h][-v][-pPID][-K][-U][-x][--cgroupmapMAPPATH]
                  [--mntnsmap MAPPATH] [--unique]

See Also

Man Pages
cap_get_file, cap_set_file, cap_get_fd, cap_set_fd, cap_get_nsowner, cap_set_nsowner Man Pages
Man Pages
capable.bt Man Pages
Checks
Checks PNG Icons
Man Pages
trace Man Pages
Man Pages
audit Man Pages
Man Pages
names Man Pages
Man Pages
kernel Man Pages
Man Pages
security Man Pages
User
User PNG Icons
← View System admin Category← Back to System startup and services🙏  Credits & Acknowledgments