Capmon v1.3

Integrate libbpf

Capmon now uses libbpf instead of the less capable debugfs kprobes. This opens up for more possibilities and allows for better and more stable control. The only drawback is that this poses more requirements on the build and run environments in terms of kernel configs.

Process tracking

Process tracking runs the provided command and tracks its process ID (PID), as well as any subprocesses spawned by it. This allows filtering for only the desired processes. But there are cases where this does not work. It currently does not support orphan processes. When the initial command finishes it stops the tracking. Monitor mode is still available for such cases.

Interactive programs are supported. Capmon ignores SIGINT (Ctrl-c) and passes it through to the running command. But this means you cannot directly stop Capmon. You can still use Ctrl-z to put it in background and then kill it.

Example:

capmon "tcpdump -lnei eth0"

When you stop Tcpdump it will output a summary of the capabilities accessed.

capmon-1.2

This is mainly a stopping point before merging the big migration to using libbpf, hence the small release.

• Allows building on older kernels where not all current capabilities are present.

capmon-1.1

[REPUBLISH]
Accidentally left a debug print last time

• Add regex support
• Improve summary format
• Improve README
• Add help menu -h or --help
• Make compliant with REUSE Software licensing. https://reuse.software/
• Refactoring

capmon-1.0

capmon 1.0

Start monitoring capability checks.

capmon

Filter by process name

capmon tcpdump trafgen

Filter by process ID

capmon -p 13424

Filter by capability

capmon -c CAP_NET_RAW

Summary mode. On exit, output a summary of which capabilities each process has
accessed. Either grouped by process name or by pid.

capmon -s pid
capmon -s name

Listen to ALL capability checks. By default it only listens to the functions
ns_capable and capable_wrt_inode_uidgid. This listens directly to the
cap_capable function.

capmon -a

All the above arguments can be combined freely. Multiple filters can be used.
Filters of the same type are treated as OR operations. Filters of different
types are treated as AND operations. For example, the command

capmon -n tcpdump -n trafgen -c CAP_NET_RAW

is interpreted as

(name:tcpdump OR name:trafgen) AND (capability:CAP_NET_RAW)

Example: combining arguments

The example below listens to only tcpdump and trafgen commands, will listen
to ALL capability checks, will do a summary at the end based on the names
(which will only be tcpdump and trafgen), and will only listen if the
capability being checked is also CAP_NET_RAW or CAP_NET_ADMIN. So it has to
belong to either of the names AND be one of those two capabilities.

capmon tcpdump trafgen -a -s name -c CAP_NET_RAW -c CAP_NET_ADMIN

This particular combination may not be very useful, but it shows how you can
combine the arguments.

Running in background

Start or stop monitoring in the background. Can only be combined with -a.
After enabling it you can view and filter the output by running capmon as
shown above.

capmon --enable
capmon --disable