.TH capable.bt 8  "2018-09-08" "USER COMMANDS"
.SH NAME
capable.bt \- Trace security capability checks (cap_capable()).
.SH SYNOPSIS
.B capable.bt
.SH DESCRIPTION
This traces security capability checks in the kernel, and prints details for
each call. This can be useful for general debugging, and also security
enforcement: determining a white list of capabilities an application needs.

Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF, bpftrace.
.SH EXAMPLES
.TP
Trace all capability checks system-wide:
#
.B capable.bt
.SH FIELDS
.TP
TIME(s)
Time of capability check: HH:MM:SS.
.TP
UID
User ID.
.TP
PID
Process ID.
.TP
COMM
Process name.
CAP
Capability number.
NAME
Capability name. See capabilities(7) for descriptions.
.TP
AUDIT
Whether this was an audit event.
.SH OVERHEAD
This adds low-overhead instrumentation to capability checks, which are expected
to be low frequency, however, that depends on the application. Test in a lab
environment before use.
.SH SOURCE
This is from bpftrace.
.IP
https://github.com/iovisor/bpftrace
.PP
Also look in the bpftrace distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.

This is a bpftrace version of the bcc tool of the same name. The bcc tool
provides options to customize the output.
.IP
https://github.com/iovisor/bcc
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Brendan Gregg
.SH SEE ALSO
capabilities(7)