capng_lock - Linux
Overview
The capng_lock
command is a utility for locking and unlocking capabilities of a process or thread. It allows you to selectively restrict or elevate capabilities, enhancing the security of your applications. This is particularly useful for sandboxing, privilege escalation, and handling sensitive system resources.
Syntax
capng_lock [-i] [-h] [-v] CAP_SET(S)
Options/Flags
| Option/Flag | Description | Default |
|—|—|—|
| -i
| Lock capabilities, ignoring any existing lock settings. | No |
| -h
| Display usage information. | No |
| -v
| Enable verbose output. | No |
| CAP_SET(S) | Space-separated list of capability sets to lock or unlock. Accepts both numeric and symbolic names. | None |
Examples
Locking specific capabilities:
capng_lock -i CAP_SYS_PACCT CAP_NET_ADMIN
Unlocking all capabilities:
capng_lock -i -
Common Issues
- Permission denied: Ensure you have sufficient privileges to modify capabilities.
- Invalid capability: Check that the specified capability set is valid and exists on your system.
Integration
capng_lock
can be combined with other commands for advanced security tasks. For instance:
- Creating a sandbox: Use
capng_lock
to restrict capabilities of a child process before executing untrusted code. - Privilege escalation detection: Monitor capability changes using
auditctl
andcapng_lock
to detect suspicious activity.
Related Commands
capng_get
capng_set
getcap
setcap