1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of capable, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard Workercapable traces calls to the kernel cap_capable() function, which does security 5*387f9dfdSAndroid Build Coastguard Workercapability checks, and prints details for each call. For example: 6*387f9dfdSAndroid Build Coastguard Worker 7*387f9dfdSAndroid Build Coastguard Worker# ./capable.py 8*387f9dfdSAndroid Build Coastguard WorkerTIME UID PID COMM CAP NAME AUDIT 9*387f9dfdSAndroid Build Coastguard Worker22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 10*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 11*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 7003 chmod 3 CAP_FOWNER 1 12*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 7003 chmod 4 CAP_FSETID 1 13*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 7005 chmod 4 CAP_FSETID 1 14*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 7005 chmod 4 CAP_FSETID 1 15*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 7006 chown 4 CAP_FSETID 1 16*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 7006 chown 4 CAP_FSETID 1 17*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 18*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 19*387f9dfdSAndroid Build Coastguard Worker22:11:23 0 6990 setuidgid 7 CAP_SETUID 1 20*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 21*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7026 chmod 3 CAP_FOWNER 1 22*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7026 chmod 4 CAP_FSETID 1 23*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7028 chmod 4 CAP_FSETID 1 24*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7028 chmod 4 CAP_FSETID 1 25*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7029 chown 4 CAP_FSETID 1 26*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7029 chown 4 CAP_FSETID 1 27*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 28*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 29*387f9dfdSAndroid Build Coastguard Worker22:11:24 0 7013 setuidgid 7 CAP_SETUID 1 30*387f9dfdSAndroid Build Coastguard Worker22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 31*387f9dfdSAndroid Build Coastguard Worker22:11:25 0 7049 chmod 3 CAP_FOWNER 1 32*387f9dfdSAndroid Build Coastguard Worker22:11:25 0 7049 chmod 4 CAP_FSETID 1 33*387f9dfdSAndroid Build Coastguard Worker22:11:25 0 7051 chmod 4 CAP_FSETID 1 34*387f9dfdSAndroid Build Coastguard Worker22:11:25 0 7051 chmod 4 CAP_FSETID 1 35*387f9dfdSAndroid Build Coastguard Worker 36*387f9dfdSAndroid Build Coastguard WorkerChecks where AUDIT is 0 are ignored by default, which can be changed 37*387f9dfdSAndroid Build Coastguard Workerwith -v but is more verbose. 38*387f9dfdSAndroid Build Coastguard Worker 39*387f9dfdSAndroid Build Coastguard WorkerWe can show the TID and INSETID columns with -x. 40*387f9dfdSAndroid Build Coastguard WorkerSince only a recent kernel version >= 5.1 reports the INSETID bit to cap_capable(), 41*387f9dfdSAndroid Build Coastguard Workerthe fallback value "N/A" will be displayed on older kernels. 42*387f9dfdSAndroid Build Coastguard Worker 43*387f9dfdSAndroid Build Coastguard Worker# ./capable.py -x 44*387f9dfdSAndroid Build Coastguard WorkerTIME UID PID TID COMM CAP NAME AUDIT INSETID 45*387f9dfdSAndroid Build Coastguard Worker08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0 46*387f9dfdSAndroid Build Coastguard Worker08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0 47*387f9dfdSAndroid Build Coastguard Worker08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0 48*387f9dfdSAndroid Build Coastguard Worker08:23:02 0 13036 13036 setuidgid 6 CAP_SETGID 1 0 49*387f9dfdSAndroid Build Coastguard Worker08:23:02 0 13036 13036 setuidgid 6 CAP_SETGID 1 0 50*387f9dfdSAndroid Build Coastguard Worker08:23:02 0 13036 13036 setuidgid 7 CAP_SETUID 1 1 51*387f9dfdSAndroid Build Coastguard Worker08:23:13 0 13085 13085 chmod 3 CAP_FOWNER 1 0 52*387f9dfdSAndroid Build Coastguard Worker08:23:13 0 13085 13085 chmod 4 CAP_FSETID 1 0 53*387f9dfdSAndroid Build Coastguard Worker08:23:13 0 13085 13085 chmod 3 CAP_FOWNER 1 0 54*387f9dfdSAndroid Build Coastguard Worker08:23:13 0 13085 13085 chmod 4 CAP_FSETID 1 0 55*387f9dfdSAndroid Build Coastguard Worker08:23:13 0 13085 13085 chmod 4 CAP_FSETID 1 0 56*387f9dfdSAndroid Build Coastguard Worker08:24:27 0 13522 13522 ping 13 CAP_NET_RAW 1 0 57*387f9dfdSAndroid Build Coastguard Worker[...] 58*387f9dfdSAndroid Build Coastguard Worker 59*387f9dfdSAndroid Build Coastguard WorkerThis can be useful for general debugging, and also security enforcement: 60*387f9dfdSAndroid Build Coastguard Workerdetermining a whitelist of capabilities an application needs. 61*387f9dfdSAndroid Build Coastguard Worker 62*387f9dfdSAndroid Build Coastguard WorkerThe output above includes various capability checks: snmpd checking 63*387f9dfdSAndroid Build Coastguard WorkerCAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes 64*387f9dfdSAndroid Build Coastguard Workerchecking CAP_FOWNER, CAP_FSETID, etc. 65*387f9dfdSAndroid Build Coastguard Worker 66*387f9dfdSAndroid Build Coastguard WorkerTo see what each of these capabilities does, check the capabilities(7) man 67*387f9dfdSAndroid Build Coastguard Workerpage and the kernel source. 68*387f9dfdSAndroid Build Coastguard Worker 69*387f9dfdSAndroid Build Coastguard WorkerIt is possible to include a kernel stack trace to the capable events by passing 70*387f9dfdSAndroid Build Coastguard Worker-K to the command: 71*387f9dfdSAndroid Build Coastguard Worker 72*387f9dfdSAndroid Build Coastguard Worker# ./capable.py -K 73*387f9dfdSAndroid Build Coastguard WorkerTIME UID PID COMM CAP NAME AUDIT 74*387f9dfdSAndroid Build Coastguard Worker15:32:21 1000 10708 fetchmail 7 CAP_SETUID 1 75*387f9dfdSAndroid Build Coastguard Worker cap_capable+0x1 [kernel] 76*387f9dfdSAndroid Build Coastguard Worker ns_capable_common+0x7a [kernel] 77*387f9dfdSAndroid Build Coastguard Worker __sys_setresuid+0xc8 [kernel] 78*387f9dfdSAndroid Build Coastguard Worker do_syscall_64+0x56 [kernel] 79*387f9dfdSAndroid Build Coastguard Worker entry_SYSCALL_64_after_hwframe+0x49 [kernel] 80*387f9dfdSAndroid Build Coastguard Worker15:32:21 1000 30047 procmail 6 CAP_SETGID 1 81*387f9dfdSAndroid Build Coastguard Worker cap_capable+0x1 [kernel] 82*387f9dfdSAndroid Build Coastguard Worker ns_capable_common+0x7a [kernel] 83*387f9dfdSAndroid Build Coastguard Worker may_setgroups+0x2f [kernel] 84*387f9dfdSAndroid Build Coastguard Worker __x64_sys_setgroups+0x18 [kernel] 85*387f9dfdSAndroid Build Coastguard Worker do_syscall_64+0x56 [kernel] 86*387f9dfdSAndroid Build Coastguard Worker entry_SYSCALL_64_after_hwframe+0x49 [kernel] 87*387f9dfdSAndroid Build Coastguard Worker 88*387f9dfdSAndroid Build Coastguard WorkerSimilarly, it is possible to include user-space stack with -U (or they can be 89*387f9dfdSAndroid Build Coastguard Workerused both at the same time to include user and kernel stack). 90*387f9dfdSAndroid Build Coastguard Worker 91*387f9dfdSAndroid Build Coastguard WorkerSome processes can do a lot of security capability checks, generating a lot of 92*387f9dfdSAndroid Build Coastguard Workerouput. In this case, the --unique option is useful to only print once the same 93*387f9dfdSAndroid Build Coastguard Workerset of capability, pid (or cgroup if --cgroupmap is used) and kernel/user 94*387f9dfdSAndroid Build Coastguard Workerstacks (if -K or -U are used). 95*387f9dfdSAndroid Build Coastguard Worker 96*387f9dfdSAndroid Build Coastguard Worker# ./capable.py -K -U --unique 97*387f9dfdSAndroid Build Coastguard Worker 98*387f9dfdSAndroid Build Coastguard WorkerThe --cgroupmap option filters based on a cgroup set. It is meant to be used 99*387f9dfdSAndroid Build Coastguard Workerwith an externally created map. 100*387f9dfdSAndroid Build Coastguard Worker 101*387f9dfdSAndroid Build Coastguard Worker# ./capable.py --cgroupmap /sys/fs/bpf/test01 102*387f9dfdSAndroid Build Coastguard Worker 103*387f9dfdSAndroid Build Coastguard WorkerFor more details, see docs/special_filtering.md 104*387f9dfdSAndroid Build Coastguard Worker 105*387f9dfdSAndroid Build Coastguard Worker 106*387f9dfdSAndroid Build Coastguard WorkerUSAGE: 107*387f9dfdSAndroid Build Coastguard Worker 108*387f9dfdSAndroid Build Coastguard Worker# ./capable.py -h 109*387f9dfdSAndroid Build Coastguard Workerusage: capable.py [-h] [-v] [-p PID] [-K] [-U] [-x] [--cgroupmap CGROUPMAP] 110*387f9dfdSAndroid Build Coastguard Worker [--mntnsmap MNTNSMAP] [--unique] 111*387f9dfdSAndroid Build Coastguard Worker 112*387f9dfdSAndroid Build Coastguard WorkerTrace security capability checks 113*387f9dfdSAndroid Build Coastguard Worker 114*387f9dfdSAndroid Build Coastguard Workeroptional arguments: 115*387f9dfdSAndroid Build Coastguard Worker -h, --help show this help message and exit 116*387f9dfdSAndroid Build Coastguard Worker -v, --verbose include non-audit checks 117*387f9dfdSAndroid Build Coastguard Worker -p PID, --pid PID trace this PID only 118*387f9dfdSAndroid Build Coastguard Worker -K, --kernel-stack output kernel stack trace 119*387f9dfdSAndroid Build Coastguard Worker -U, --user-stack output user stack trace 120*387f9dfdSAndroid Build Coastguard Worker -x, --extra show extra fields in TID and INSETID columns 121*387f9dfdSAndroid Build Coastguard Worker --cgroupmap CGROUPMAP 122*387f9dfdSAndroid Build Coastguard Worker trace cgroups in this BPF map only 123*387f9dfdSAndroid Build Coastguard Worker --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only 124*387f9dfdSAndroid Build Coastguard Worker --unique don't repeat stacks for the same pid or cgroup 125*387f9dfdSAndroid Build Coastguard Worker 126*387f9dfdSAndroid Build Coastguard Workerexamples: 127*387f9dfdSAndroid Build Coastguard Worker ./capable # trace capability checks 128*387f9dfdSAndroid Build Coastguard Worker ./capable -v # verbose: include non-audit checks 129*387f9dfdSAndroid Build Coastguard Worker ./capable -p 181 # only trace PID 181 130*387f9dfdSAndroid Build Coastguard Worker ./capable -K # add kernel stacks to trace 131*387f9dfdSAndroid Build Coastguard Worker ./capable -U # add user-space stacks to trace 132*387f9dfdSAndroid Build Coastguard Worker ./capable -x # extra fields: show TID and INSETID columns 133*387f9dfdSAndroid Build Coastguard Worker ./capable --unique # don't repeat stacks for the same pid or cgroup 134*387f9dfdSAndroid Build Coastguard Worker ./capable --cgroupmap mappath # only trace cgroups in this BPF map 135*387f9dfdSAndroid Build Coastguard Worker ./capable --mntnsmap mappath # only trace mount namespaces in the map 136