capable: Hide TID and INSETID columns by default

The TID and the INSETID bit are the less interesting fields and keeping them out allows to reduce the line length below 80 characters. Closes iovisor#2392
e-dant · Jun 3, 2019 · 721d34e · 721d34e
1 parent d61f9ba
commit 721d34e
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 36 deletions.
diff --git a/man/man8/capable.8 b/man/man8/capable.8
@@ -25,6 +25,9 @@ Include kernel stack traces to the output.
 .TP
 \-U
 Include user-space stack traces to the output.
+.TP
+\-x
+Show extra fields in TID and INSETID columns.
 .SH EXAMPLES
 .TP
 Trace all capability checks system-wide:

diff --git a/tools/capable.py b/tools/capable.py
@@ -26,6 +26,7 @@
  ./capable -p 181 # only trace PID 181
  ./capable -K # add kernel stacks to trace
  ./capable -U # add user-space stacks to trace
+ ./capable -x # extra fields: show TID and INSETID columns
 """
 parser = argparse.ArgumentParser(
  description="Trace security capability checks",
@@ -39,6 +40,8 @@
  help="output kernel stack trace")
 parser.add_argument("-U", "--user-stack", action="store_true",
  help="output user stack trace")
+parser.add_argument("-x", "--extra", action="store_true",
+ help="show extra fields in TID and INSETID columns")
 args = parser.parse_args()
 debug = 0
 
@@ -178,8 +181,12 @@ def __getattr__(self, name):
 b = BPF(text=bpf_text)
 
 # header
-print("%-9s %-6s %-6s %-6s %-16s %-4s %-20s %-6s %s" % (
- "TIME", "UID", "PID", "TID", "COMM", "CAP", "NAME", "AUDIT", "INSETID"))
+if args.extra:
+ print("%-9s %-6s %-6s %-6s %-16s %-4s %-20s %-6s %s" % (
+ "TIME", "UID", "PID", "TID", "COMM", "CAP", "NAME", "AUDIT", "INSETID"))
+else:
+ print("%-9s %-6s %-6s %-16s %-4s %-20s %-6s" % (
+ "TIME", "UID", "PID", "COMM", "CAP", "NAME", "AUDIT"))
 
 def stack_id_err(stack_id):
  # -EFAULT in get_stackid normally means the stack-trace is not availible,
@@ -203,9 +210,14 @@ def print_event(bpf, cpu, data, size):
  name = capabilities[event.cap]
  else:
  name = "?"
- print("%-9s %-6d %-6d %-6d %-16s %-4d %-20s %-6d %s" % (strftime("%H:%M:%S"),
- event.uid, event.pid, event.tgid, event.comm.decode('utf-8', 'replace'),
- event.cap, name, event.audit, str(event.insetid) if event.insetid != -1 else "N/A"))
+ if args.extra:
+ print("%-9s %-6d %-6d %-6d %-16s %-4d %-20s %-6d %s" % (strftime("%H:%M:%S"),
+ event.uid, event.pid, event.tgid, event.comm.decode('utf-8', 'replace'),
+ event.cap, name, event.audit, str(event.insetid) if event.insetid != -1 else "N/A"))
+ else:
+ print("%-9s %-6d %-6d %-16s %-4d %-20s %-6d" % (strftime("%H:%M:%S"),
+ event.uid, event.pid, event.comm.decode('utf-8', 'replace'),
+ event.cap, name, event.audit))
  if args.kernel_stack:
  print_stack(bpf, event.kernel_stack_id, StackType.Kernel, -1)
  if args.user_stack:

diff --git a/tools/capable_example.txt b/tools/capable_example.txt
@@ -5,37 +5,42 @@ capable traces calls to the kernel cap_capable() function, which does security
 capability checks, and prints details for each call. For example:
 
 # ./capable.py 
-TIME UID PID COMM CAP NAME AUDIT INSETID
-22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 N/A
-22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 N/A
-22:11:23 0 7003 chmod 3 CAP_FOWNER 1 N/A
-22:11:23 0 7003 chmod 4 CAP_FSETID 1 N/A
-22:11:23 0 7005 chmod 4 CAP_FSETID 1 N/A
-22:11:23 0 7005 chmod 4 CAP_FSETID 1 N/A
-22:11:23 0 7006 chown 4 CAP_FSETID 1 N/A
-22:11:23 0 7006 chown 4 CAP_FSETID 1 N/A
-22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 N/A
-22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 N/A
-22:11:23 0 6990 setuidgid 7 CAP_SETUID 1 N/A
-22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 N/A
-22:11:24 0 7026 chmod 3 CAP_FOWNER 1 N/A
-22:11:24 0 7026 chmod 4 CAP_FSETID 1 N/A
-22:11:24 0 7028 chmod 4 CAP_FSETID 1 N/A
-22:11:24 0 7028 chmod 4 CAP_FSETID 1 N/A
-22:11:24 0 7029 chown 4 CAP_FSETID 1 N/A
-22:11:24 0 7029 chown 4 CAP_FSETID 1 N/A
-22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 N/A
-22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 N/A
-22:11:24 0 7013 setuidgid 7 CAP_SETUID 1 N/A
-22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 N/A
-22:11:25 0 7049 chmod 3 CAP_FOWNER 1 N/A
-22:11:25 0 7049 chmod 4 CAP_FSETID 1 N/A
-22:11:25 0 7051 chmod 4 CAP_FSETID 1 N/A
-22:11:25 0 7051 chmod 4 CAP_FSETID 1 N/A
-
-A recent kernel version >= 5.1 also reports the INSETID bit to cap_capable():
-
-# ./capable.py
+TIME UID PID COMM CAP NAME AUDIT
+22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1
+22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1
+22:11:23 0 7003 chmod 3 CAP_FOWNER 1
+22:11:23 0 7003 chmod 4 CAP_FSETID 1
+22:11:23 0 7005 chmod 4 CAP_FSETID 1
+22:11:23 0 7005 chmod 4 CAP_FSETID 1
+22:11:23 0 7006 chown 4 CAP_FSETID 1
+22:11:23 0 7006 chown 4 CAP_FSETID 1
+22:11:23 0 6990 setuidgid 6 CAP_SETGID 1
+22:11:23 0 6990 setuidgid 6 CAP_SETGID 1
+22:11:23 0 6990 setuidgid 7 CAP_SETUID 1
+22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1
+22:11:24 0 7026 chmod 3 CAP_FOWNER 1
+22:11:24 0 7026 chmod 4 CAP_FSETID 1
+22:11:24 0 7028 chmod 4 CAP_FSETID 1
+22:11:24 0 7028 chmod 4 CAP_FSETID 1
+22:11:24 0 7029 chown 4 CAP_FSETID 1
+22:11:24 0 7029 chown 4 CAP_FSETID 1
+22:11:24 0 7013 setuidgid 6 CAP_SETGID 1
+22:11:24 0 7013 setuidgid 6 CAP_SETGID 1
+22:11:24 0 7013 setuidgid 7 CAP_SETUID 1
+22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1
+22:11:25 0 7049 chmod 3 CAP_FOWNER 1
+22:11:25 0 7049 chmod 4 CAP_FSETID 1
+22:11:25 0 7051 chmod 4 CAP_FSETID 1
+22:11:25 0 7051 chmod 4 CAP_FSETID 1
+
+Checks where AUDIT is 0 are ignored by default, which can be changed
+with -v but is more verbose.
+
+We can show the TID and INSETID columns with -x.
+Since only a recent kernel version >= 5.1 reports the INSETID bit to cap_capable(),
+the fallback value "N/A" will be displayed on older kernels.
+
+# ./capable.py -x
 TIME UID PID TID COMM CAP NAME AUDIT INSETID
 08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0
 08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0