Change user and drop capabilities#475
Conversation
If a stage 3 entry corresponding to the master lcore is present, it will be run after all other entries, and therefore it is not necessary to add this entry to the front of the list. This patch also enforces that there is at most one master lcore entry and no other entries in the list by the time run_master_if_applicable() is called.
AltraMayor
left a comment
There was a problem hiding this comment.
net: fix user change
Please add libcap-dev to GitHub Actions, so this patch can pass the compiling test.
AltraMayor
left a comment
There was a problem hiding this comment.
net: fix user change
In order to make this patch work, we need to call assert(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0); before rte_eal_init() in main/main.c. prctl() requires #include <sys/prctl.h>.
AltraMayor
left a comment
There was a problem hiding this comment.
README: update hugepages package name
AltraMayor
left a comment
There was a problem hiding this comment.
net: allow per-block capabilities after user change
AltraMayor
left a comment
There was a problem hiding this comment.
net: allow per-block capabilities after user change
AltraMayor
left a comment
There was a problem hiding this comment.
net: allow per-block capabilities after user change
AltraMayor
left a comment
There was a problem hiding this comment.
net: allow per-block capabilities after user change
AltraMayor
left a comment
There was a problem hiding this comment.
net: allow per-block capabilities after user change
Typo at the description of this patch: routign
If Gatekeeper is configured to run as a non-root user, then privileges are dropped during startup. However, some aspects of Gatekeeper (specifically, being able to use a userspace nl_pid in the CPS block for interacting with a routing daemon) require elevated privileges. In order to reduce privileges of Gatekeeper as a whole while retaining this functionality, we use capabilities(7). Each block expresses the capabilities it needs via the needed_caps() API. Since Gatekeeper is a multi-threaded system and DPDK uses a pool of threads, we require calling prctl(2) for PR_SET_KEEPCAPS for capabilities to be retained after changing the UID.
No description provided.