forked from bpftrace/bpftrace
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcapable.bt
More file actions
92 lines (89 loc) · 2.82 KB
/
Copy pathcapable.bt
File metadata and controls
92 lines (89 loc) · 2.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env bpftrace
// capable Trace security capability checks (cap_capable()).
// For Linux, uses bpftrace and eBPF.
//
// Example of usage:
//
// # ./capable.bt
// TIME UID PID COMM CAP NAME AUDIT
// 22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1
// 22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1
// 22:11:23 0 7003 chmod 3 CAP_FOWNER 1
// 22:11:23 0 7003 chmod 4 CAP_FSETID 1
// 22:11:23 0 7005 chmod 4 CAP_FSETID 1
// [...]
//
// This can be useful for general debugging, and also security enforcement:
// determining a whitelist of capabilities an application needs.
//
// The output above includes various capability checks: snmpd checking
// CAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes
// checking CAP_FOWNER, CAP_FSETID, etc.
//
// To see what each of these capabilities does, check the capabilities(7) man
// page and the kernel source.
//
// This is a bpftrace version of the bcc tool of the same name.
// The bcc version provides options to customize the output.
//
// Copyright 2018 Netflix, Inc.
//
// 08-Sep-2018 Brendan Gregg Created this.
BEGIN
{
printf("Tracing cap_capable syscalls... Hit Ctrl-C to end.\n");
printf("%-9s %-6s %-6s %-16s %-4s %-20s AUDIT\n",
"TIME", "UID", "PID", "COMM", "CAP", "NAME");
@cap[(uint64)0] = "CAP_CHOWN";
@cap[1] = "CAP_DAC_OVERRIDE";
@cap[2] = "CAP_DAC_READ_SEARCH";
@cap[3] = "CAP_FOWNER";
@cap[4] = "CAP_FSETID";
@cap[5] = "CAP_KILL";
@cap[6] = "CAP_SETGID";
@cap[7] = "CAP_SETUID";
@cap[8] = "CAP_SETPCAP";
@cap[9] = "CAP_LINUX_IMMUTABLE";
@cap[10] = "CAP_NET_BIND_SERVICE";
@cap[11] = "CAP_NET_BROADCAST";
@cap[12] = "CAP_NET_ADMIN";
@cap[13] = "CAP_NET_RAW";
@cap[14] = "CAP_IPC_LOCK";
@cap[15] = "CAP_IPC_OWNER";
@cap[16] = "CAP_SYS_MODULE";
@cap[17] = "CAP_SYS_RAWIO";
@cap[18] = "CAP_SYS_CHROOT";
@cap[19] = "CAP_SYS_PTRACE";
@cap[20] = "CAP_SYS_PACCT";
@cap[21] = "CAP_SYS_ADMIN";
@cap[22] = "CAP_SYS_BOOT";
@cap[23] = "CAP_SYS_NICE";
@cap[24] = "CAP_SYS_RESOURCE";
@cap[25] = "CAP_SYS_TIME";
@cap[26] = "CAP_SYS_TTY_CONFIG";
@cap[27] = "CAP_MKNOD";
@cap[28] = "CAP_LEASE";
@cap[29] = "CAP_AUDIT_WRITE";
@cap[30] = "CAP_AUDIT_CONTROL";
@cap[31] = "CAP_SETFCAP";
@cap[32] = "CAP_MAC_OVERRIDE";
@cap[33] = "CAP_MAC_ADMIN";
@cap[34] = "CAP_SYSLOG";
@cap[35] = "CAP_WAKE_ALARM";
@cap[36] = "CAP_BLOCK_SUSPEND";
@cap[37] = "CAP_AUDIT_READ";
@cap[38] = "CAP_PERFMON";
@cap[39] = "CAP_BPF";
@cap[40] = "CAP_CHECKPOINT_RESTORE";
}
kprobe:cap_capable
{
$cap = arg2;
$audit = arg3;
time("%H:%M:%S ");
printf("%-6d %-6d %-16s %-4d %-20s %d\n", uid, pid, comm, $cap, @cap[$cap], $audit);
}
END
{
clear(@cap);
}