Linux capabilities with eBPF
I'm building a tool that allows developer to analyze which
Linux capabilities their eBPF program needs ahead-of-time. No more slapping on CAP_SYS_ADMIN
and praying.
In this development, I wondered if I could see a stream of which capabilities were being requested on my system as they were happening and that's when I learned about capable, an eBPF-based tool that lets you do literally that.
This streams everything with the -v flag, which might not be what you want.
You can grep against the output with the process name:
$ sudo capable-bpfcc -v | rg --line-buffered minimal
...
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 12 CAP_NET_ADMIN 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 38 CAP_PERFMON 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
11:34:45 65534 70643 minimal 39 CAP_BPF 1
rg is what the cool kids are using today.
