Issue setting up the DPDK development with non-privileged user
Boris Ouretskey
borisusun at gmail.com
Sat Sep 3 20:18:25 CEST 2022
With the help of bcc tools I figured out the following list of capabilities
to run hello world application
sudo setcap
cap_ipc_lock,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_sys_rawio+ep
./dpdk-helloworld
BCC toolkit is full of useful utils.
My 50 cents to finish the subject. The reason for zeroing out the mapping
for the unprivileged user is stated in doc and it is :-
from https://www.kernel.org/doc/Documentation/vm/pagemap.txt
Starting from
4.2 the PFN field is zeroed if the user does not have CAP_SYS_ADMIN.
Reason: information about PFNs helps in exploiting Rowhammer vulnerability.
"
Thanks again for the help.
On Fri, Sep 2, 2022 at 5:31 PM Dmitry Kozlyuk <dmitry.kozliuk at gmail.com>
wrote:
> 2022-09-01 22:26 (UTC+0300), Dmitry Kozlyuk:
> > 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk:
> > > Theoretically, one can enumerate all capabilities, give all
> capabilities
> > > except one to the binary, try to run it, and notice which capability
> removal
> > > leads to a failure. However, `setcap "all=ep $capa-ep" ./binary`
> > > did not give the correct answer to me (why?), so I did it
> semi-manually.
> >
> > Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal:
> > they both allow bypassing file read permission check.
> >
> > I have a working script here: ...
>
> Apparently, a better alternative is already out there:
>
> https://github.com/iovisor/bcc/blob/master/tools/capable_example.txt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/users/attachments/20220903/f774367b/attachment.htm>
More information about the users
mailing list