v811_spc009/external/bcc/man/man8/capable.8

.TH capable 8  "2016-09-13" "USER COMMANDS"
.SH NAME
capable \- Trace security capability checks (cap_capable()).
.SH SYNOPSIS
.B capable [\-h] [\-v] [\-p PID] [\-K] [\-U]
.SH DESCRIPTION
This traces security capability checks in the kernel, and prints details for
each call. This can be useful for general debugging, and also security
enforcement: determining a white list of capabilities an application needs.

Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF, bcc.
.SH OPTIONS
\-h
USAGE message.
.TP
\-v
Include non-audit capability checks. These are those deemed not interesting and
not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to
affect the behavior of overcommit.
.TP
\-K
Include kernel stack traces to the output.
.TP
\-U
Include user-space stack traces to the output.
.SH EXAMPLES
.TP
Trace all capability checks system-wide:
#
.B capable
.TP
Trace capability checks for PID 181:
#
.B capable \-p 181
.SH FIELDS
.TP
TIME(s)
Time of capability check: HH:MM:SS.
.TP
UID
User ID.
.TP
PID
Process ID.
.TP
COMM
Process name.
CAP
Capability number.
NAME
Capability name. See capabilities(7) for descriptions.
.TP
AUDIT
Whether this was an audit event. Use \-v to include non-audit events.
.SH OVERHEAD
This adds low-overhead instrumentation to capability checks, which are expected
to be low frequency, however, that depends on the application. Test in a lab
environment before use.
.SH SOURCE
This is from bcc.
.IP
https://github.com/iovisor/bcc
.PP
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Brendan Gregg
.SH SEE ALSO
capabilities(7)