capng_apply - Linux

Overview

capng_apply grants or revokes Linux capabilities on a running process or a set of processes. It allows fine-grained control over system privileges, enhancing security by minimizing the attack surface.

Syntax

capng_apply [-i] [-F] [-g N] [-a N] [-r N] -c P process
capng_apply [-i] [-F] [-g N] [-a N] [-r N] -c S socket

Options/Flags

• -i: Inherit capabilities from the parent process.
• -F: Follow the process tree and apply to child processes.
• -g N: Grant capability N.
• -a N: Add capability N to the existing set.
• -r N: Remove capability N from the existing set.
• -c P: Specify process ID.
• -c S: Specify socket descriptor.

Examples

Grant CAP_SYS_ADMIN to process 1000:

capng_apply -g 1000 -c S 1000

Remove CAP_NET_ADMIN from socket 5:

capng_apply -r 12 -c P 5

Add CAP_SETUID to all processes in the process tree of PID 100:

capng_apply -F -a 2000 -c P 100

Common Issues

• Permission denied: Ensure the calling process has sufficient privileges to modify capabilities.
• Socket descriptor invalid: Verify the socket descriptor is valid and refers to an active socket.

Integration

capng_apply can be combined with utilities like find and xargs for batch operations:

find /proc -type f -name cmdline | grep -q python | xargs -n 1 -P 0 capng_apply -F -g 37

Related Commands

• getcap
• setcap
• capabilities(7)