With the help of bcc tools I figured out the following list of capabilities to run hello world application

sudo setcap cap_ipc_lock,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_sys_rawio+ep ./dpdk-helloworld

BCC toolkit is full of useful utils.

My 50 cents to finish the subject. The reason for zeroing out the mapping for the unprivileged user is stated in doc and it is :-

from https://www.kernel.org/doc/Documentation/vm/pagemap.txt

 Starting from
   4.2 the PFN field is zeroed if the user does not have CAP_SYS_ADMIN.
   Reason: information about PFNs helps in exploiting Rowhammer vulnerability.

Thanks again for the help.

On Fri, Sep 2, 2022 at 5:31 PM Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:

2022-09-01 22:26 (UTC+0300), Dmitry Kozlyuk:
> 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk:
> > Theoretically, one can enumerate all capabilities, give all capabilities
> > except one to the binary, try to run it, and notice which capability removal
> > leads to a failure. However, `setcap "all=ep $capa-ep" ./binary`
> > did not give the correct answer to me (why?), so I did it semi-manually.
>
> Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal:
> they both allow bypassing file read permission check.
>
> I have a working script here: ...

Apparently, a better alternative is already out there:

https://github.com/iovisor/bcc/blob/master/tools/capable_example.txt