← mdaverde.com

capable-bpfcc

Live stream of capabilities being requested on your system

I'm currently building a tool that allows an eBPF developer to analyze which capabilities their program needs ahead-of-time. No more slapping on CAP_SYS_ADMIN and hoping it'll be okay.

In debugging what I have now I wanted to see a live view of capabilities being requested on my system and that's when I learned about capable-bpfcc, an eBPF-based tool that lets you literally just do that.

This streams everything with the -v flag. To grep against it:

$ sudo capable-bpfcc -v | rg --line-buffered minimal
...
11:34:45  65534  70643  minimal          39   CAP_BPF              1
11:34:45  65534  70643  minimal          12   CAP_NET_ADMIN        1
11:34:45  65534  70643  minimal          39   CAP_BPF              1
11:34:45  65534  70643  minimal          38   CAP_PERFMON          1
11:34:45  65534  70643  minimal          38   CAP_PERFMON          1
11:34:45  65534  70643  minimal          38   CAP_PERFMON          1
11:34:45  65534  70643  minimal          38   CAP_PERFMON          1
11:34:45  65534  70643  minimal          38   CAP_PERFMON          1
11:34:45  65534  70643  minimal          39   CAP_BPF              1
11:34:45  65534  70643  minimal          39   CAP_BPF              1

rg is what the cool kids are using today.

If you see any inaccuracies, typos or have comments, please reach out @mdaverde.

ebpflinuxsecurity