From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 04B88A0545 for ; Sat, 3 Sep 2022 20:18:41 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9B61240A7F; Sat, 3 Sep 2022 20:18:40 +0200 (CEST) Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) by mails.dpdk.org (Postfix) with ESMTP id DCEA940698 for ; Sat, 3 Sep 2022 20:18:39 +0200 (CEST) Received: by mail-pg1-f178.google.com with SMTP id 73so4710846pga.1 for ; Sat, 03 Sep 2022 11:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=ngvufkRfonox11phXm6Us2GzsYKBaoureLZd6O8isTg=; b=T3J/eYY7IQfgH+2H0dILQvrshvpZXUEn1tlq5K94PBCiSKVqgf+PiNcl8C69eE3yDo Nna9QWOmjzdp2cuKoAIevmxqrq2yt7X5irVSi0Pee63uw5WEHFdDVzuTvyVndIrnHpys d7EHq/7LUPmZwCkmdSPM1dybsWjIwkbRp+8AHkoLlQQaz6mPp/ovhGfCJMqyCaV15rXH 0fV1aYysooL9oSQmpnkEbAARZ/RNbvPyC/yTApXkjF+h9eWn2cuTt8Sx+ux/WRV9RB92 fXgChQ/ajcJbIj68HOPzmk/zMIJAQE99KtssEuxnHgQ8QoMskTGLvJC2cb5OsfzrdpHy iYPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=ngvufkRfonox11phXm6Us2GzsYKBaoureLZd6O8isTg=; b=jrFQAGpD/645X1k+VCh06LXi86aXDJyRqrmTcUXdAG1Qz+o6YwF+GeVNq+F0xU4q5u IkKBwknqFFzUO8diZIPPl2qE8GM67scJvjVfRqxiJFnjNsEMGUWn7sJNTk50AUDT3FVn Sm3T2dDVR+NeOHav4d/mQ0QYdmDq1IxfAoVYBF4VxZ8WXqFf3Drw92fuH2MSZLMF3T/+ u9+vbREZ4PZpYMq7ujGip8IUJo+gnDAgApdinoa0fdadunOvDGATO3gX1eKruvlVG7TH zsyjX1sih5ayjAHAhFW3kxvvKSJkk4z/t6QZNEM6sozCDUeQf01oa9fjYPazVK6jhLFn KpaA== X-Gm-Message-State: ACgBeo0lMzqlA6WRKFaEJuitbQiWrx97Mu03ThJqtqGXX2SbzxYWfvFe r2A663Z6lXgZQprsgb2bJNk87ngVUPS8s/k/7Ck= X-Google-Smtp-Source: AA6agR685X+5dETSUFvf+8sscHhHWsrKDoQ9gVjSns3kjQ/yYz/onsIKVhilJ0csQ9o26QZb6Mh2sy6Y0wj53D1v/WU= X-Received: by 2002:a05:6a00:1827:b0:538:3d5f:fd3 with SMTP id y39-20020a056a00182700b005383d5f0fd3mr30502287pfa.28.1662229118148; Sat, 03 Sep 2022 11:18:38 -0700 (PDT) MIME-Version: 1.0 References: <20220831190158.44dd76de@sovereign> <20220901174259.3a9420ae@sovereign> <20220901222612.542840fe@sovereign> <20220902173154.57f5210c@sovereign> In-Reply-To: <20220902173154.57f5210c@sovereign> From: Boris Ouretskey Date: Sat, 3 Sep 2022 21:18:25 +0300 Message-ID: Subject: Re: Issue setting up the DPDK development with non-privileged user To: Dmitry Kozlyuk Cc: users@dpdk.org Content-Type: multipart/alternative; boundary="0000000000001f620b05e7c9e077" X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: users-bounces@dpdk.org --0000000000001f620b05e7c9e077 Content-Type: text/plain; charset="UTF-8" With the help of bcc tools I figured out the following list of capabilities to run hello world application sudo setcap cap_ipc_lock,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_sys_rawio+ep ./dpdk-helloworld BCC toolkit is full of useful utils. My 50 cents to finish the subject. The reason for zeroing out the mapping for the unprivileged user is stated in doc and it is :- from https://www.kernel.org/doc/Documentation/vm/pagemap.txt Starting from 4.2 the PFN field is zeroed if the user does not have CAP_SYS_ADMIN. Reason: information about PFNs helps in exploiting Rowhammer vulnerability. " Thanks again for the help. On Fri, Sep 2, 2022 at 5:31 PM Dmitry Kozlyuk wrote: > 2022-09-01 22:26 (UTC+0300), Dmitry Kozlyuk: > > 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk: > > > Theoretically, one can enumerate all capabilities, give all > capabilities > > > except one to the binary, try to run it, and notice which capability > removal > > > leads to a failure. However, `setcap "all=ep $capa-ep" ./binary` > > > did not give the correct answer to me (why?), so I did it > semi-manually. > > > > Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal: > > they both allow bypassing file read permission check. > > > > I have a working script here: ... > > Apparently, a better alternative is already out there: > > https://github.com/iovisor/bcc/blob/master/tools/capable_example.txt > --0000000000001f620b05e7c9e077 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
With the help of bcc tools I figured out the followin= g list of capabilities to run hello world application

<= div>sudo setcap cap_ipc_lock,cap_sys_admin,cap_dac_override,cap_dac_read_se= arch,cap_sys_rawio+ep ./dpdk-helloworld

BCC to= olkit=C2=A0is full of useful utils.

My 50 cents to= finish the subject. The reason for zeroing out the mapping for the unprivi= leged=C2=A0user is stated in doc and it is :-


 Starting from
   4.2 the PFN field is zeroed if the user does not have CAP_SYS_ADMIN.
   Reason: information about PFNs helps in exploiting Rowhammer vulnerabili=
ty.
"
<= /div>

Thanks again for the help.

On Fri, Sep 2, 2022 at 5:31 P= M Dmitry Kozlyuk <dmitry.koz= liuk@gmail.com> wrote:
2022-09-01 22:26 (UTC+0300), Dmitry Kozlyuk:
> 2022-09-01 17:42 (UTC+0300), Dmitry Kozlyuk:
> > Theoretically, one can enumerate all capabilities, give all capab= ilities
> > except one to the binary, try to run it, and notice which capabil= ity removal
> > leads to a failure. However, `setcap "all=3Dep $capa-ep"= ; ./binary`
> > did not give the correct answer to me (why?), so I did it semi-ma= nually.=C2=A0
>
> Aha! CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH are not orthogonal:
> they both allow bypassing file read permission check.
>
> I have a working script here: ...

Apparently, a better alternative is already out there:

https://github.com/iovisor/bcc/b= lob/master/tools/capable_example.txt
--0000000000001f620b05e7c9e077--