From: Boris Ouretskey <borisusun@gmail.com>
To: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Cc: users@dpdk.org
Subject: Re: Issue setting up the DPDK development with non-privileged user
Date: Sat, 3 Sep 2022 21:18:25 +0300 [thread overview]
Message-ID: <CAG4AAQ0h57MPrzDFfq+w45X_K4yQkGd45yQ1hdWxtb5tnMvK=g@mail.gmail.com> (raw)
In-Reply-To: <20220902173154.57f5210c@sovereign>
[-- Attachment #1: Type: text/plain, Size: 1453 bytes --]
With the help of bcc tools I figured out the following list of capabilities
to run hello world application
sudo setcap
cap_ipc_lock,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_sys_rawio+ep
./dpdk-helloworld
BCC toolkit is full of useful utils.
My 50 cents to finish the subject. The reason for zeroing out the mapping
for the unprivileged user is stated in doc and it is :-
from https://www.kernel.org/doc/Documentation/vm/pagemap.txt
Starting from
4.2 the PFN field is zeroed if the user does not have CAP_SYS_ADMIN.
Reason: information about PFNs helps in exploiting Rowhammer vulnerability.
"
Thanks again for the help.
On Fri, Sep 2, 2022 at 5:31 PM Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
wrote:
> 2022-09-01 22:26 (UTC+0300), Dmitry Kozlyuk:
> > 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk:
> > > Theoretically, one can enumerate all capabilities, give all
> capabilities
> > > except one to the binary, try to run it, and notice which capability
> removal
> > > leads to a failure. However, `setcap "all=ep $capa-ep" ./binary`
> > > did not give the correct answer to me (why?), so I did it
> semi-manually.
> >
> > Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal:
> > they both allow bypassing file read permission check.
> >
> > I have a working script here: ...
>
> Apparently, a better alternative is already out there:
>
> https://github.com/iovisor/bcc/blob/master/tools/capable_example.txt
>
[-- Attachment #2: Type: text/html, Size: 2291 bytes --]
prev parent reply other threads:[~2022-09-03 18:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 14:10 Boris Ouretskey
2022-08-31 16:01 ` Dmitry Kozlyuk
2022-09-01 12:52 ` Boris Ouretskey
2022-09-01 14:42 ` Dmitry Kozlyuk
2022-09-01 19:26 ` Dmitry Kozlyuk
2022-09-02 14:31 ` Dmitry Kozlyuk
2022-09-03 18:18 ` Boris Ouretskey [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG4AAQ0h57MPrzDFfq+w45X_K4yQkGd45yQ1hdWxtb5tnMvK=g@mail.gmail.com' \
--to=borisusun@gmail.com \
--cc=dmitry.kozliuk@gmail.com \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).