1capable(8)                  System Manager's Manual                 capable(8)
2
3
4

NAME

6       capable - Trace security capability checks (cap_capable()).
7

SYNOPSIS

9       capable [-h] [-v] [-p PID] [-K] [-U] [-x] [--cgroupmap MAPPATH]
10                  [--mntnsmap MAPPATH] [--unique]
11

DESCRIPTION

13       This  traces  security  capability  checks  in  the  kernel, and prints
14       details for each call. This can be useful for  general  debugging,  and
15       also  security enforcement: determining a white list of capabilities an
16       application needs.
17
18       Since this uses BPF, only the root user can use this tool.
19

REQUIREMENTS

21       CONFIG_BPF, bcc.
22

OPTIONS

24       -h USAGE message.
25
26       -v     Include non-audit capability checks. These are those deemed  not
27              interesting  and  not  necessary to audit, such as CAP_SYS_ADMIN
28              checks on memory allocation to affect the behavior  of  overcom‐
29              mit.
30
31       -K     Include kernel stack traces to the output.
32
33       -U     Include user-space stack traces to the output.
34
35       -x     Show extra fields in TID and INSETID columns.
36
37       --cgroupmap MAPPATH
38              Trace cgroups in this BPF map only (filtered in-kernel).
39
40       --mntnsmap  MAPPATH
41              Trace  mount  namespaces  in this BPF map only (filtered in-ker‐
42              nel).
43
44       --unique
45              Don't repeat stacks for the same PID or cgroup.
46

EXAMPLES

48       Trace all capability checks system-wide:
49              # capable
50
51       Trace capability checks for PID 181:
52              # capable -p 181
53
54       Trace capability checks in a set of cgroups only  (see  special_filter‐
55       ing.md
56              from  bcc  sources  for  more  details):  #  capable --cgroupmap
57              /sys/fs/bpf/test01
58

FIELDS

60       TIME(s)
61              Time of capability check: HH:MM:SS.
62
63       UID    User ID.
64
65       PID    Process ID.
66
67       COMM   Process name.  CAP Capability number.  NAME Capability name. See
68              capabilities(7) for descriptions.
69
70       AUDIT  Whether  this  was  an  audit event. Use -v to include non-audit
71              events.  INSETID Whether the INSETID bit was set (Linux >= 5.1).
72

OVERHEAD

74       This adds low-overhead instrumentation to capability checks, which  are
75       expected to be low frequency, however, that depends on the application.
76       Test in a lab environment before use.
77

SOURCE

79       This is from bcc.
80
81              https://github.com/iovisor/bcc
82
83       Also look in the bcc distribution for a  companion  _examples.txt  file
84       containing example usage, output, and commentary for this tool.
85

OS

87       Linux
88

STABILITY

90       Unstable - in development.
91

AUTHOR

93       Brendan Gregg
94

SEE ALSO

96       capabilities(7)
97
98
99
100USER COMMANDS                     2020-03-08                        capable(8)
Impressum