# capsnoop

**Repository Path**: kiraskyler/capsnoop

## Basic Information

- **Project Name**: capsnoop
- **Description**: 跟踪系统调用对权能的影响
- **Primary Language**: C++
- **License**: GPL-3.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2024-09-18
- **Last Updated**: 2024-09-18

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# 简介

> 跟踪系统调用对权能的影响

```
Time: 06:16:24.002597355, uid = 1000, pid: 1180706, tdid: 1180706, ppid: 1180702, comm: sshd
syscall: capset
hdrp.version: LINUX_CAPABILITY_VERSION_3
hdrp.pid: 0
effective: 0x0
permitted: 0xffffffff
inheritable: 0x2000002c
retval: 0
securebits: 0x00000000
cap_inheritable: 0x0000000000000000
cap_permitted: 0xffffffff000001ff
cap_effective: 0x0000000000000000
cap_bset: 0xffffffff000001ff
cap_ambient: 0x0000000000000000
----------------------------------
securebits: 0x00000000
cap_inheritable: 0x0000000000000000
cap_permitted: 0xffffffff000001ff
cap_effective: 0xffffffff000001ff
cap_bset: 0xffffffff000001ff
cap_ambient: 0x0000000000000000
----------------------------------
capset+11 (/usr/lib64/libc-2.28.so) 0x7f3542afcecb
unknown 0x7f35468041c8
cap_iab_set_proc+69 (/usr/lib64/libcap.so.2.61) 0x7f35468046f5
permanently_set_uid+229 (/usr/sbin/sshd) 0x556feee42b45
```

# Before Use
- 最能同时最终1000个task 可以修改cap.bpf.c rsyscall_enter 的定义
    - 超出时可能会丢失信息 且没有任何错误和警告输出
- 短命进程较难获取符号信息
    - bcc bpftrace 一样
    - 只有perf对短命进程符号较准 perf会追踪更多的事件

# Build

## Build Requires

> kernel support bpf and include btf imformation, just try make

> gcc clang libbpf libbcc