feat(rtx-xdp): drop caps when done with them

Author: t-nelson

Cargo.lock

@@ -186,6 +186,9 @@ trees = { workspace = true }
 [target.'cfg(not(any(target_env = "msvc", target_os = "freebsd")))'.dependencies]
 jemallocator = { workspace = true }
 
+[target.'cfg(target_os = "linux")'.dependencies]
+caps = { workspace = true }
+
 [target."cfg(unix)".dependencies]
 rts-alloc = { workspace = true }
 shaq = { workspace = true }

core/Cargo.toml

@@ -1550,6 +1550,22 @@ impl Validator {
                 (None, None)
             };
 
+        #[cfg(target_os = "linux")]
+        {
+            use caps::{
+                CapSet,
+                Capability::{CAP_BPF, CAP_NET_ADMIN, CAP_NET_RAW, CAP_PERFMON},
+            };
+            // we're done with caps needed to init xdp now. remove them from our process
+            let cap_sets = [CapSet::Inheritable, CapSet::Permitted];
+            for cap_set in cap_sets {
+                caps::drop(None, cap_set, CAP_NET_ADMIN).expect("drop CAP_NET_ADMIN");
+                caps::drop(None, cap_set, CAP_NET_RAW).expect("drop CAP_NET_RAW");
+                caps::drop(None, cap_set, CAP_BPF).expect("drop CAP_BPF");
+                caps::drop(None, cap_set, CAP_PERFMON).expect("drop CAP_PERFMON");
+            }
+        }
+
         // disable all2all tests if not allowed for a given cluster type
         let alpenglow_socket = if genesis_config.cluster_type == ClusterType::Testnet
             || genesis_config.cluster_type == ClusterType::Development