capng_lock - Linux


The capng_lock command is a utility for locking and unlocking capabilities of a process or thread. It allows you to selectively restrict or elevate capabilities, enhancing the security of your applications. This is particularly useful for sandboxing, privilege escalation, and handling sensitive system resources.


capng_lock [-i] [-h] [-v] CAP_SET(S)


| Option/Flag | Description | Default |
| -i | Lock capabilities, ignoring any existing lock settings. | No |
| -h | Display usage information. | No |
| -v | Enable verbose output. | No |
| CAP_SET(S) | Space-separated list of capability sets to lock or unlock. Accepts both numeric and symbolic names. | None |


Locking specific capabilities:


Unlocking all capabilities:

capng_lock -i -

Common Issues

  • Permission denied: Ensure you have sufficient privileges to modify capabilities.
  • Invalid capability: Check that the specified capability set is valid and exists on your system.


capng_lock can be combined with other commands for advanced security tasks. For instance:

  • Creating a sandbox: Use capng_lock to restrict capabilities of a child process before executing untrusted code.
  • Privilege escalation detection: Monitor capability changes using auditctl and capng_lock to detect suspicious activity.

Related Commands

  • capng_get
  • capng_set
  • getcap
  • setcap