How to run AF_XDP program without root privileges?

[wshwb]

I want to run a userspace program to create AF_XDP socket and receive packet through this socket, But I must to use "sudo" to start my userspace program to load a kernelspace XDP filter program and create a MUM and AF_XDP socket with libbpf library now. I want to know How to start userspace program which dont need "sudo" everytimes to receive packets? Please give me some advice!! Thanks a lot!!!

[maryamtahhan]

Hello @wshwb

So you will need to separate the loading of the XDP program (privileged op) for AF_XDP from the socket creation part (unprivileged op).

so you can use xdp-loader to load your xdp program attach it to your netdev and pin your xskmap.

and then leverage the XSK_LIBBPF_FLAGS__INHIBIT_PROG_LOAD in your program that creates the af_xdp socket and retrieve the xskmap fd using bpf_obj_get()

note: for an unprivileged process to use the xsk_map you will need to pin the map to a bpffs in a location other than: /sys/fs/bpf...

create a custom bpffs using: mount bpffs -t bpf

make it shared mount --make-shared

For references please see:

• https://github.com/CloudNativeDataPlane/cndp/pull/283
• https://github.com/CloudNativeDataPlane/cndp/blob/main/lib/core/xskdev/xskdev.c#L862
• https://github.com/redhat-et/afxdp-network-operator/issues/3

[wshwb]

Thank you very much! @maryamtahhan

1. I have receive a simple and temporary solution https://github.com/xdp-project/xdp-tutorial/issues/361#issuecomment-1542743318 and I tried in advanced03-AF_XDP , it is really worked, So your advice is more general way, and I believe it works better. I will try in the future.
2. I found LDLIBRARY_PATH will fail if I set capability to my executable program, and I found another way to set dylink path in linux which is set -rpath in gcc.