From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id E1001423E3;
	Sun, 15 Jan 2023 14:30:48 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 5154A410F2;
	Sun, 15 Jan 2023 14:30:48 +0100 (CET)
Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com
 [209.85.208.177])
 by mails.dpdk.org (Postfix) with ESMTP id 6597F40042;
 Sun, 15 Jan 2023 14:30:46 +0100 (CET)
Received: by mail-lj1-f177.google.com with SMTP id e16so479655ljn.3;
 Sun, 15 Jan 2023 05:30:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=QNRk0hQlMXbfnq6LeYTVzWzDsFPBVC+YSc93cGl8pFw=;
 b=BIqL8zwAvY5FhhNZbu5Lx+4d6/dHLZF2Fq5jzNEVRFtSWqXWshSzDXjgXKfGcvZ3lZ
 gIq+EccqvfAfIm8+5FhatrqWdwafxvkJ01JyeayuBjWVciYWPV2IB2jSHi74dyW0YgX6
 7wsOD4yorNpIrSNYe3xa7Ye+ZXjaxvadB3H1gC7EPW6yMi3pqy+29jQBf0JTv9ceMCsK
 bZ6d0YarvjhZZ9iJMnNQApkIQoSMkpQUCMl0DnscxqzeIaQw77JM7s2AdtWe4h65/aAY
 0Z13TvACKHE8Fs9FhINLD8NIe9AwHiMle3pE3UHXinq+aLflldM7D483R0F2pXMt9YxN
 jjAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=QNRk0hQlMXbfnq6LeYTVzWzDsFPBVC+YSc93cGl8pFw=;
 b=ro61eNkL1EkX6DAfOoFQVRK3v82dMHngjBoOFNhJM06KnUSfUGBqmxbXw4yuqzJgwk
 K9s6noVR91DWhAfFSgtIPAhzMT1Aisu3qZVEx6KDvpIu5fSrcDNTD0xKEcdcfLtRbr9+
 BDozakfjQ3WIhTJOMFMd+fT1oVQBLZfzRdMZxZuxvCpcDJcVtkWUd0rpguPL9hpe8S/l
 v5hstuerB7z7WDGa/5qQ74Nx8Eu6Vt5jIzCIxyXbphQUEzJiynT2cyR0QvH+7gk5Fh56
 n3X4hKbQdmbgerUq4c7FGsaysvoSGlNQ1N8h9SLWLp8eqjURvp2P7hLcNApKImSLsJFz
 sXiA==
X-Gm-Message-State: AFqh2kqIgoYuGjc/Rqzx+CplvGhCldGw6rEwfq8zGpo3h02+pnyLmjHY
 yzXVDba+ifK4J0NrX/Bz+DNuJhLwJHMXe/ngFEM=
X-Google-Smtp-Source: AMrXdXvksG+5ggghIzx/rv4HOUVLuhgoZHulrOeIvYRKByeavBGggVju3w+kb6F7oCyEKbdpBzLzmSp4fmBAIaov0GI=
X-Received: by 2002:a2e:a26a:0:b0:285:3383:6635 with SMTP id
 k10-20020a2ea26a000000b0028533836635mr1753783ljm.323.1673789445688; Sun, 15
 Jan 2023 05:30:45 -0800 (PST)
MIME-Version: 1.0
References: <20230114225802.136625-1-dmitry.kozliuk@gmail.com>
 <20230114182752.0fa60bf7@hermes.local> <20230115154606.31e855cf@sovereign>
In-Reply-To: <20230115154606.31e855cf@sovereign>
From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 15 Jan 2023 15:30:34 +0200
Message-ID: <CAC-fF8Twi9EECV6K45Y2kAXAK12kkgv_aGZ9P9=uD_vr8nYQmA@mail.gmail.com>
Subject: Re: [PATCH] doc: add capability to access physical addresses
To: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>, dev@dpdk.org,
 stable@dpdk.org, Boris Ouretskey <borisusun@gmail.com>,
 Bruce Richardson <bruce.richardson@intel.com>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

Hi,

On Sun, Jan 15, 2023 at 2:46 PM Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:
>
> 2023-01-14 18:27 (UTC-0800), Stephen Hemminger:
> > DAC_OVERRIDE is like having the master key. It opens all doors
> > and if so, running as non-root really doesn't matter that much.
> >
> > Ideally, a finer grain permission could be used.
> > Recommending this to users seems wrong.
>
> According to my tests, DAC_READ_SEARCH can be used instead of DAC_OVERRIDE.
> It seems slightly better, because it doesn't bypass write permission checks.
> Although I agree with Isaac that SYS_ADMIN is already very powerful,
> and remember that the final goal is to perform unrestricted DMA.
> Boris, Isaac, is DAC_READ_SEARCH sufficient on your systems?

Yes, I can confirm that DAC_READ_SEARCH works fine on my system as well. Thanks!

[admin@localhost ~]$ getcap /usr/bin/dpdk-testpmd
/usr/bin/dpdk-testpmd cap_dac_read_search,cap_ipc_lock,cap_sys_admin=ep
[admin@localhost ~]$ dpdk-testpmd -l 2,3,4 -a 000:0b:00.0 --huge-dir
/dev/hugepages/ --iova-mode pa
EAL: Detected CPU lcores: 8
EAL: Detected NUMA nodes: 1
EAL: Detected shared linkage of DPDK
EAL: Multi-process socket /tmp/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: No available 1048576 kB hugepages reported
TELEMETRY: No legacy callbacks, legacy socket not created
testpmd: No probed ethernet devices
testpmd: create a new mbuf pool <mb_pool_0>: n=163456, size=2176, socket=0
testpmd: preferred mempool ops selected: ring_mp_mc
Done