feat(rtx-xdp): drop caps when done with them

Author: t-nelson

Cargo.lock

@@ -95,6 +95,9 @@ tokio = { workspace = true }
 [target.'cfg(not(any(target_env = "msvc", target_os = "freebsd")))'.dependencies]
 jemallocator = { workspace = true }
 
+[target.'cfg(target_os = "linux")'.dependencies]
+caps = { workspace = true }
+
 [target."cfg(unix)".dependencies]
 libc = { workspace = true }
 

programs/sbf/Cargo.lock

@@ -289,6 +289,22 @@ pub fn execute(
             .expect("failed to create xdp retransmitter")
     });
 
+    #[cfg(target_os = "linux")]
+    {
+        use caps::{
+            CapSet,
+            Capability::{CAP_BPF, CAP_NET_ADMIN, CAP_NET_RAW, CAP_PERFMON},
+        };
+        // we're done with caps needed to init xdp now. remove them from our process
+        let cap_sets = [CapSet::Inheritable, CapSet::Permitted];
+        for cap_set in cap_sets {
+            caps::drop(None, cap_set, CAP_NET_ADMIN).expect("drop CAP_NET_ADMIN");
+            caps::drop(None, cap_set, CAP_NET_RAW).expect("drop CAP_NET_RAW");
+            caps::drop(None, cap_set, CAP_BPF).expect("drop CAP_BPF");
+            caps::drop(None, cap_set, CAP_PERFMON).expect("drop CAP_PERFMON");
+        }
+    }
+
     let reserved = retransmit_xdp
         .map(|xdp| xdp.cpus.clone())
         .unwrap_or_default()