feat(rtx-xdp): drop caps when done with them

t-nelson · t-nelson · commit af2baa05d914 · 2026-01-12T13:03:37.000-07:00
diff --git a/turbine/src/xdp.rs b/turbine/src/xdp.rs
@@ -206,6 +206,13 @@ impl XdpRetransmitBuilder {
             caps::drop(None, CapSet::Effective, cap).unwrap();
         }
 
+        // for a cap to be in the `ambient` set, it must be in both `inheritable` and
+        // `permitted` sets, so we can skip explicitly clearing it here
+        caps::clear(None, CapSet::Inheritable)
+            .map_err(|e| format!("failed to clear `inheritable` cap set: {e}"))?;
+        caps::clear(None, CapSet::Permitted)
+            .map_err(|e| format!("failed to clear `permitted` cap set: {e}"))?;
+
         let router = router_result?;
         let maybe_ebpf = maybe_ebpf_result.transpose()?;
 
