Issue setting up the DPDK development with non-privileged user

Dmitry Kozlyuk dmitry.kozliuk at gmail.com
Thu Sep 1 21:26:12 CEST 2022

Previous message (by thread): Issue setting up the DPDK development with non-privileged user
Next message (by thread): Issue setting up the DPDK development with non-privileged user
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk:
> Theoretically, one can enumerate all capabilities, give all capabilities
> except one to the binary, try to run it, and notice which capability removal
> leads to a failure. However, `setcap "all=ep $capa-ep" ./binary`
> did not give the correct answer to me (why?), so I did it semi-manually.

Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal:
they both allow bypassing file read permission check.

I have a working script here:

    https://github.com/PlushBeaver/ancap

In our case:

./ancap /work/_install/bin/dpdk-testpmd /bin/sh -c '/work/_install/bin/dpdk-testpmd -a 03:00.0 --iova-mode=pa --in-memory </dev/null >/dev/null 2>/dev/null'
cap_sys_admin+ep
cap_dac_read_search+ep
NOTE: need cap_dac_override or cap_dac_read_search
      to bypass file read permission checks.

Previous message (by thread): Issue setting up the DPDK development with non-privileged user
Next message (by thread): Issue setting up the DPDK development with non-privileged user
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the users mailing list