feat(rtx-xdp): drop caps when done with them

Author: t-nelson

Cargo.lock

@@ -62,6 +62,7 @@ bincode = { workspace = true }
 bs58 = { workspace = true }
 bytemuck = { workspace = true }
 bytes = { workspace = true }
+caps = { workspace = true }
 chrono = { workspace = true, features = ["default", "serde"] }
 crossbeam-channel = { workspace = true }
 dashmap = { workspace = true, features = ["rayon", "raw-api"] }

core/Cargo.toml

@@ -1550,6 +1550,22 @@ impl Validator {
                 (None, None)
             };
 
+        #[cfg(target_os = "linux")]
+        {
+            use caps::{
+                CapSet,
+                Capability::{CAP_BPF, CAP_NET_ADMIN, CAP_NET_RAW, CAP_PERFMON},
+            };
+            // we're done with caps needed to init xdp now. remove them from our process
+            let cap_sets = [CapSet::Inheritable, CapSet::Permitted];
+            for cap_set in cap_sets {
+                caps::drop(None, cap_set, CAP_NET_ADMIN).expect("drop CAP_NET_ADMIN");
+                caps::drop(None, cap_set, CAP_NET_RAW).expect("drop CAP_NET_RAW");
+                caps::drop(None, cap_set, CAP_BPF).expect("drop CAP_BPF");
+                caps::drop(None, cap_set, CAP_PERFMON).expect("drop CAP_PERFMON");
+            }
+        }
+
         // disable all2all tests if not allowed for a given cluster type
         let alpenglow_socket = if genesis_config.cluster_type == ClusterType::Testnet
             || genesis_config.cluster_type == ClusterType::Development