capable - an eBPF tool to see a live stream of Linux capabilities

During debugging, I wanted to see a live view of capabilities being requested on my system and that's when I learned about capable

Linux capabilities with eBPF

I'm building a tool that allows developer to analyze which Linux capabilities their eBPF program needs ahead-of-time. No more slapping on CAP_SYS_ADMIN and praying.

In this development, I wondered if I could see a stream of which capabilities were being requested on my system as they were happening and that's when I learned about capable, an eBPF-based tool that lets you do literally that.

This streams everything with the -v flag, which might not be what you want. You can grep against the output with the process name:

$ sudo capable-bpfcc -v | rg --line-buffered minimal
...
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 12 CAP_NET_ADMIN 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1

rg is what the cool kids are using today.

Written by