In this page we will walk through the steps required to generate a capability profile for the ping application.
Decap is mainly developed in python. You will need to install the python version 3.
sudo apt update sudo apt install -y python3 sudo pip3 install pandasAs Decap uses sysfilter's system call extraction tool, you have to clone and build the sysfilter extraction tool from here. While running decap, you have to give the path of sysfilter_extract executable as a flag value.
Now we will check that we are running the correct kernel version required for completing the hands-on exercise. We tested Decap on Ubuntu 18.04 with kernel v5.4
uname --kernel-release
This should print the kernel version which should be as follows:
5.4.0-48-lowlatency
It is critical that you see the correct Linux kernel version.
We can check the Ubuntu distribution using this command:
cat /etc/issue
This should print the Ubuntu version which should be as follows:
Ubuntu 18.04.5 LTS \n \l
1. Check where is binary ping
whereis -b ping
This should print the path of the binary like this:
ping: /bin/ping
2. Switch to the `src` directory.
cd src
3. Open a new file, name it as you like. We will use myexample.json in the following examples.
vim myexample.json
4. Copy the following text into the file and update the binary-path value from step 1.
{ "ping": { "binary-path": "/bin/ping" } }
5. Now run Decap:
sudo python3 decap.py --input [full-path-of-myexample.json] --sysfilterpath [full-path-of-sysfilter_extraction-executable]
The script will now start analyzing the binary for the required capability.
Starting analysis for binary: ping ...
System call extraction and argument analysis phase
Starting system call extraction ... Extracting system calls using Confine and performing argument analysis for the system calls responsible for CAP_SYS_ADMIN ... Extracting system calls using Sysfilter ... Generating final system call list ... ... System call extraction done! Total number of extracted system calls : 50
The script will now start finding the required capability based on extracted system calls.
Finding required capabilities for the extracted system calls ... Checking if CAP_SYS_ADMIN is required based on the argument analysis ... ... removing CAP_SYS_ADMIN Total num of capabilties to add : 16 Deprivileging setuid binary and enforcing only the required capabilities to the binary Done capability analysis for ping! ----------------------------------------------------------------
6. Now the analysis is done and we can check the capabilities of the binary
getcap /bin/ping
This should print the capabilities added to the binary like this:
/bin/ping = cap_dac_override,cap_dac_read_search,cap_fowner,cap_kill,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_resource,cap_sys_tty_config,cap_lease,cap_audit_control,cap_mac_override+ep