capset¶
Intro¶
capset - dynamically change user's and/or process's capability sets
Description¶
The capset() system call is used to set the user-space capability sets of the current process or of a specified process, as specified in the arguments. cap_user_header_t structure describes the layout of the actual capability sets. It consists of an integer, specifying the version of the structure and an integer, specifying the length of the data that follows. The cap_user_data_t structure describes the capability sets of a given process.
The capset() system call can be used to modify the process's current capability sets or to set the capability sets of a specified process, depending on which of the arguments are given. The capset() system call also allows setting flags, if the process is root, to indicate if the capability sets should be inherited by the child processes.
There are some drawbacks and advantages of using the capset() system call. The main advantage is that it allows a process to change the set of capabilities it has at runtime, allowing for higher level of security and stability. On the other hand, it can be susceptible to malicious users of the system, as they can set the capability sets to a different state than they should be.
Arguments¶
hdrp:cap_user_header_t[KU] - pointer to a data structure describing the layout of the capability sets of the process.datap:const cap_user_data_t[KU] - pointer to a data structure describing the capability sets of the process.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_capset¶
Type¶
Kprobes
Purpose¶
To detect changes to process or threads' capability sets.
uprobes¶
Type¶
Uprobes
Purpose¶
To detect if userspace execution attempts to change a process's capability sets.
Example Use Case¶
The capset() system call can be useful in order to monitor changes to a process's capability sets. For example, if a vulnerable process is detected, monitoring its capability sets can help detect if an attacker is attempting to set the capability sets to a different state.
Issues¶
No significant issues with the system call were found in the manual page.
Related Events¶
- get_this_capable() - get the current process's capability sets
- set_thread_capability() - Associate thread or process with an additional capability set
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.