capget¶
Intro¶
capget - Retrieve system capabilities
Description¶
The capget() system call, which retrieves the current capabilities of a certain
process or process group. It takes two arguments, a pointer to a cap_user_headers_t
structure containing information about the requested capabilities, and a pointer
to a cap_user_data_t
structure containing an array of capability numbers.
The system call then fills in these structures to contain the requested
capabilities.
There are some drawbacks and edge-cases when using this system call. First, the requested capabilities must be in range of the capabilities supported by the operating system. Second, if the request is for a process group and the process group doesn't exist, capget() fails with an error code. Finally, not all systems support all of the capabilities that capget() can retrieve.
Arguments¶
hdrp
:cap_user_header_t
[K] - Pointer to a header containing the requested capability type and data length.datap
:cap_user_data_t
[K] - Pointer to an array of one or more capability numbers.
Available Tags¶
- K - Originated from kernel-space.
Hooks¶
capget
¶
Type¶
Kprobe + Kretprobe
Purpose¶
These probes are used to capture system calls when they enter and exit the kernel.
Example Use Case¶
For example, a security administrator may use capget() to query the current system capabilities of a certain process or process group in order to audit their system configuration.
Issues¶
Currently, there is no way to retrieve multiple sets of capabilities within one capget() system call.
Related Events¶
- capset() - Set system capabilities for process or process group
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.