capable-bpfcc

Live stream of capabilities being requested on your system

I'm currently building a tool that allows an eBPF developer to analyze which capabilities their program needs ahead-of-time. No more slapping on CAP_SYS_ADMIN and hoping it'll be okay.

In debugging what I have now I wanted to see a live view of capabilities being requested on my system and that's when I learned about capable-bpfcc, an eBPF-based tool that lets you literally just do that.

This streams everything with the -v flag. To grep against it:

$ sudo capable-bpfcc -v | rg --line-buffered minimal
...
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 12 CAP_NET_ADMIN 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1

rg is what the cool kids are using today.

If you see any inaccuracies, typos or have comments, please reach out @mdaverde.