Hi, On Sun, Jan 15, 2023 at 2:46 PM Dmitry Kozlyuk <dmitry.kozl...@gmail.com> wrote: > > 2023-01-14 18:27 (UTC-0800), Stephen Hemminger: > > DAC_OVERRIDE is like having the master key. It opens all doors > > and if so, running as non-root really doesn't matter that much. > > > > Ideally, a finer grain permission could be used. > > Recommending this to users seems wrong. > > According to my tests, DAC_READ_SEARCH can be used instead of DAC_OVERRIDE. > It seems slightly better, because it doesn't bypass write permission checks. > Although I agree with Isaac that SYS_ADMIN is already very powerful, > and remember that the final goal is to perform unrestricted DMA. > Boris, Isaac, is DAC_READ_SEARCH sufficient on your systems?
Yes, I can confirm that DAC_READ_SEARCH works fine on my system as well. Thanks! [admin@localhost ~]$ getcap /usr/bin/dpdk-testpmd /usr/bin/dpdk-testpmd cap_dac_read_search,cap_ipc_lock,cap_sys_admin=ep [admin@localhost ~]$ dpdk-testpmd -l 2,3,4 -a 000:0b:00.0 --huge-dir /dev/hugepages/ --iova-mode pa EAL: Detected CPU lcores: 8 EAL: Detected NUMA nodes: 1 EAL: Detected shared linkage of DPDK EAL: Multi-process socket /tmp/dpdk/rte/mp_socket EAL: Selected IOVA mode 'PA' EAL: No available 1048576 kB hugepages reported TELEMETRY: No legacy callbacks, legacy socket not created testpmd: No probed ethernet devices testpmd: create a new mbuf pool <mb_pool_0>: n=163456, size=2176, socket=0 testpmd: preferred mempool ops selected: ring_mp_mc Done
