Skip to content

capget

Intro

capget - Retrieve system capabilities

Description

The capget() system call, which retrieves the current capabilities of a certain process or process group. It takes two arguments, a pointer to a cap_user_headers_t structure containing information about the requested capabilities, and a pointer to a cap_user_data_t structure containing an array of capability numbers. The system call then fills in these structures to contain the requested capabilities.

There are some drawbacks and edge-cases when using this system call. First, the requested capabilities must be in range of the capabilities supported by the operating system. Second, if the request is for a process group and the process group doesn't exist, capget() fails with an error code. Finally, not all systems support all of the capabilities that capget() can retrieve.

Arguments

  • hdrp: cap_user_header_t[K] - Pointer to a header containing the requested capability type and data length.
  • datap: cap_user_data_t[K] - Pointer to an array of one or more capability numbers.

Available Tags

  • K - Originated from kernel-space.

Hooks

capget

Type

Kprobe + Kretprobe

Purpose

These probes are used to capture system calls when they enter and exit the kernel.

Example Use Case

For example, a security administrator may use capget() to query the current system capabilities of a certain process or process group in order to audit their system configuration.

Issues

Currently, there is no way to retrieve multiple sets of capabilities within one capget() system call.

  • capset() - Set system capabilities for process or process group

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.