Module capabilities 

Linux process capabilities analysis for privilege escalation detection.

Linux capabilities split root privileges into granular units (CAP_SYS_ADMIN, CAP_NET_RAW, CAP_SYS_PTRACE, etc.). Each process has effective, permitted, and inheritable capability sets stored in task_struct.cred->cap_effective/cap_permitted/cap_inheritable.

Processes with unusual capabilities – especially non-root with elevated caps – indicate privilege escalation and are flagged as suspicious.

Re-exports

pub use crate::heuristics::classify_capabilities;

Structs

ProcessCapabilities

Process capability information extracted from task_struct.cred.

Functions

cap_name

Map a single capability bit to its human-readable name.

walk_capabilities

Walk capability information for each process in the provided list.