kernel-explainer 1.0.0

Kernel event and scheduling explanation library for the Peek process intelligence tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

// Capability set → human descriptions.
//
// Mirrors the decoding logic previously implemented in
// `peek-core::proc::kernel::decode_caps`, but works on the numeric bitset
// directly instead of the raw hex string.

const CAP_NAMES: &[&str] = &[
    "CHOWN",
    "DAC_OVERRIDE",
    "DAC_READ_SEARCH",
    "FOWNER",
    "FSETID",
    "KILL",
    "SETGID",
    "SETUID",
    "SETPCAP",
    "LINUX_IMMUTABLE",
    "NET_BIND_SERVICE",
    "NET_BROADCAST",
    "NET_ADMIN",
    "NET_RAW",
    "IPC_LOCK",
    "IPC_OWNER",
    "SYS_MODULE",
    "SYS_RAWIO",
    "SYS_CHROOT",
    "SYS_PTRACE",
    "SYS_PACCT",
    "SYS_ADMIN",
    "SYS_BOOT",
    "SYS_NICE",
    "SYS_RESOURCE",
    "SYS_TIME",
    "SYS_TTY_CONFIG",
    "MKNOD",
    "LEASE",
    "AUDIT_WRITE",
    "AUDIT_CONTROL",
    "SETFCAP",
    "MAC_OVERRIDE",
    "MAC_ADMIN",
    "SYSLOG",
    "WAKE_ALARM",
    "BLOCK_SUSPEND",
    "AUDIT_READ",
    "PERFMON",
    "BPF",
    "CHECKPOINT_RESTORE",
];

fn caps_to_string(val: u64) -> String {
    if val == 0 {
        return "none".to_string();
    }

    let caps: Vec<&str> = CAP_NAMES
        .iter()
        .enumerate()
        .filter(|(i, _)| val & (1u64 << i) != 0)
        .map(|(_, name)| *name)
        .collect();

    if caps.is_empty() {
        // Fall back to raw value if no names were found.
        format!("{:#x}", val)
    } else {
        caps.join(", ")
    }
}

/// Given the permitted and effective capability bitmasks, return
/// human-readable descriptions for each set.
pub fn format_caps(permitted: u64, effective: u64) -> (String, String) {
    (caps_to_string(permitted), caps_to_string(effective))
}