Open maryamtahhan opened 1 year ago
Looking at the source they are all CAP_NET_ADMIN. No idea why. Investigating.
The only thing which comes to mind is that the same option also controls NAPI behavior. You can very effectively DOS the machine by misconfiguring the NAPI budget and hogging the CPU in a kernel thread.
Currently - the option to configure an AF_XDP socket as a busy polling socket is a privileged operation. Investigate why this is the case (does it truly need privilege, if yes then how much privilege).