DOKK / manpages / debian 11 / bpfcc-tools / capable-bpfcc.8.en
capable(8) System Manager's Manual capable(8)

capable - Trace security capability checks (cap_capable()).

capable [-h] [-v] [-p PID] [-K] [-U] [-x] [--cgroupmap MAPPATH]
[--mntnsmap MAPPATH] [--unique]

This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs.

Since this uses BPF, only the root user can use this tool.

CONFIG_BPF, bcc.

-h USAGE message.

Include non-audit capability checks. These are those deemed not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit.
Include kernel stack traces to the output.
Include user-space stack traces to the output.
Show extra fields in TID and INSETID columns.
Trace cgroups in this BPF map only (filtered in-kernel).
Trace mount namespaces in this BPF map only (filtered in-kernel).
Don't repeat stacks for the same PID or cgroup.

# capable
# capable -p 181
from bcc sources for more details): # capable --cgroupmap /sys/fs/bpf/test01

Time of capability check: HH:MM:SS.
User ID.
Process ID.
Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions.
Whether this was an audit event. Use -v to include non-audit events. INSETID Whether the INSETID bit was set (Linux >= 5.1).

This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use.

This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

Linux

Unstable - in development.

Brendan Gregg

capabilities(7)

2020-03-08 USER COMMANDS