capng_lock - Linux

Overview

The capng_lock command is a utility for locking and unlocking capabilities of a process or thread. It allows you to selectively restrict or elevate capabilities, enhancing the security of your applications. This is particularly useful for sandboxing, privilege escalation, and handling sensitive system resources.

Syntax

capng_lock [-i] [-h] [-v] CAP_SET(S)

Options/Flags

| Option/Flag | Description | Default |
|—|—|—|
| -i | Lock capabilities, ignoring any existing lock settings. | No |
| -h | Display usage information. | No |
| -v | Enable verbose output. | No |
| CAP_SET(S) | Space-separated list of capability sets to lock or unlock. Accepts both numeric and symbolic names. | None |

Examples

Locking specific capabilities:

capng_lock -i CAP_SYS_PACCT CAP_NET_ADMIN

Unlocking all capabilities:

capng_lock -i -

Common Issues

• Permission denied: Ensure you have sufficient privileges to modify capabilities.
• Invalid capability: Check that the specified capability set is valid and exists on your system.

Integration

capng_lock can be combined with other commands for advanced security tasks. For instance:

• Creating a sandbox: Use capng_lock to restrict capabilities of a child process before executing untrusted code.
• Privilege escalation detection: Monitor capability changes using auditctl and capng_lock to detect suspicious activity.

Related Commands

• capng_get
• capng_set
• getcap
• setcap