From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5966DA034C for ; Thu, 1 Sep 2022 21:26:15 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D6F7640693; Thu, 1 Sep 2022 21:26:14 +0200 (CEST) Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) by mails.dpdk.org (Postfix) with ESMTP id 6D5F540684 for ; Thu, 1 Sep 2022 21:26:14 +0200 (CEST) Received: by mail-lj1-f171.google.com with SMTP id k22so144886ljg.2 for ; Thu, 01 Sep 2022 12:26:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date; bh=BF3O10qly5c9R5IHJVAa/i4dIqys/JZKJKJ7ggf3F6Q=; b=NlEK34Ln79yHZDQdSzTfbNVRu1ihCD1bSl0gLErdNZzpJVpFK/Ja3zqDq+U9deq3FM 8T9/MVDhDBRIgOAZ4y26bRFUxTwla5KB+XZWCWUSrr03HLrkfUC8xdnfi7HNWPTLDsSI Jn2MEK8FZ5wVpZZE9Zvg7dX7zj8QzQVD765B5XuUbM2nyRbMt8jhAzyOBPaaBJaHyXno EMFLYxBrJiMxF0SWf+K+ec8vkt3HmMypmmyLCgviNBjKH7RtSnQPw3JT0bI+20mEyWqQ 15qPU5M+TsBcHbItajQKRpeAIr6C8SCKihS115occDX3QehgWQ2kL1v4/6lhsF78qgvq H8Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date; bh=BF3O10qly5c9R5IHJVAa/i4dIqys/JZKJKJ7ggf3F6Q=; b=VhdAZjvU1Gk7BjAfT3A3vA97TC0VjPjFb+e6cNCw6zmjBOfHc/X2k3RsZ1IedeTxGh jd1glG/tsKC5+qDTctBGg4VukGxzTchemB+l87cSflYBgjLsaW1OiAZYb0M54jEO9Cke r6UHJdgIbI718Dc7jTSWJvWyzxK+HIL0jsptiwvKmvc3WqfQwhMyQVyttGabVjvyXEOb vFZP9gALgdtCPGYwxHQmZ+iE+YH7ICHP20tSITPpAOh6uB4iltucq/avxfDHhg/hKwMk +2VVZD2dKDI+tWm2tPDBnYRiI9+Z9kxFnqpAekB9OPfPtRAT6Z9jrNM06e5VVKoijoRp LO4g== X-Gm-Message-State: ACgBeo0u0lBv+9PfJKPHVQXVdqVqmiSUCfGAqL2/0/E7gooG737y3Ovy fOnmkxr0oX/PNgr8gcCTjNs= X-Google-Smtp-Source: AA6agR5fn+Uo6TPTASQcUyCPIfRerj0ZdtRvutSbmmesHWqAEVGJ6QvmmvLpAlpQ0+Sp3nczB80POw== X-Received: by 2002:a2e:7c18:0:b0:263:1e6f:39c8 with SMTP id x24-20020a2e7c18000000b002631e6f39c8mr7073259ljc.29.1662060373779; Thu, 01 Sep 2022 12:26:13 -0700 (PDT) Received: from sovereign (broadband-37-110-65-23.ip.moscow.rt.ru. [37.110.65.23]) by smtp.gmail.com with ESMTPSA id x19-20020a056512079300b004946d780871sm1467239lfr.214.2022.09.01.12.26.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Sep 2022 12:26:13 -0700 (PDT) Date: Thu, 1 Sep 2022 22:26:12 +0300 From: Dmitry Kozlyuk To: Boris Ouretskey Cc: users@dpdk.org, Bruce Richardson , "Burakov, Anatoly" Subject: Re: Issue setting up the DPDK development with non-privileged user Message-ID: <20220901222612.542840fe@sovereign> In-Reply-To: <20220901174259.3a9420ae@sovereign> References: <20220831190158.44dd76de@sovereign> <20220901174259.3a9420ae@sovereign> X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: users-bounces@dpdk.org 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk: > Theoretically, one can enumerate all capabilities, give all capabilities > except one to the binary, try to run it, and notice which capability removal > leads to a failure. However, `setcap "all=ep $capa-ep" ./binary` > did not give the correct answer to me (why?), so I did it semi-manually. Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal: they both allow bypassing file read permission check. I have a working script here: https://github.com/PlushBeaver/ancap In our case: ./ancap /work/_install/bin/dpdk-testpmd /bin/sh -c '/work/_install/bin/dpdk-testpmd -a 03:00.0 --iova-mode=pa --in-memory /dev/null 2>/dev/null' cap_sys_admin+ep cap_dac_read_search+ep NOTE: need cap_dac_override or cap_dac_read_search to bypass file read permission checks.