coder
diff --git a/‎agent/agentexec/cli_linux.go
Lines changed: 4 additions & 1 deletion b/‎agent/agentexec/cli_linux.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎agent/agentexec/cli_linux_test.go
Lines changed: 45 additions & 2 deletions b/‎agent/agentexec/cli_linux_test.go
Lines changed: 45 additions & 2 deletions
@@ -67,7 +67,10 @@ func CLI() error {
 
 	// We drop effective caps prior to setting dumpable so that we limit the
 	// impact of someone attempting to hijack the process (i.e. with a debugger)
-	// to take advantage of the capabilities of the agent process.
+	// to take advantage of the capabilities of the agent process. We encourage
+	// users to set cap_net_admin on the agent binary for improved networking
+	// performance and doing so results in the process having its SET_DUMPABLE
+	// attribute disabled (meaning we cannot adjust the oom score).
 	err = dropEffectiveCaps()
 	if err != nil {
 		printfStdErr("failed to drop effective caps: %v", err)
 
@@ -18,6 +18,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/unix"
+	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/testutil"
 )
@@ -50,6 +51,32 @@ func TestCLI(t *testing.T) {
 		requireOOMScore(t, cmd.Process.Pid, expectedOOM)
 		requireNiceScore(t, cmd.Process.Pid, expectedNice)
 	})
+
+	t.Run("Capabilities", func(t *testing.T) {
+		testdir := filepath.Dir(TestBin)
+		capDir := filepath.Join(testdir, "caps")
+		err := os.Mkdir(capDir, 0o755)
+		require.NoError(t, err)
+		bin := buildBinary(capDir)
+		// Try to set capabilities on the binary. This should work fine in CI but
+		// it's possible some developers may be working in an environment where they don't have the necessary permissions.
+		err = setCaps(t, bin, "cap_net_admin")
+		if os.Getenv("CI") != "" {
+			require.NoError(t, err)
+		} else if err != nil {
+			t.Skipf("unable to set capabilities for test: %v", err)
+		}
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		cmd, path := binCmd(ctx, t, bin, 123, 12)
+		err = cmd.Start()
+		require.NoError(t, err)
+		go cmd.Wait()
+
+		waitForSentinel(ctx, t, cmd, path)
+		// This is what we're really testing, a binary with added capabilities requires setting dumpable.
+		requireOOMScore(t, cmd.Process.Pid, 123)
+		requireNiceScore(t, cmd.Process.Pid, 12)
+	})
 }
 
 func requireNiceScore(t *testing.T, pid int, score int) {
@@ -94,7 +121,7 @@ func waitForSentinel(ctx context.Context, t *testing.T, cmd *exec.Cmd, path stri
 	}
 }
 
-func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
+func binCmd(ctx context.Context, t *testing.T, bin string, oom, nice int) (*exec.Cmd, string) {
 	var (
 		args = execArgs(oom, nice)
 		dir  = t.TempDir()
@@ -103,7 +130,7 @@ func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
 
 	args = append(args, "sh", "-c", fmt.Sprintf("touch %s && sleep 10m", file))
 	//nolint:gosec
-	cmd := exec.CommandContext(ctx, TestBin, args...)
+	cmd := exec.CommandContext(ctx, bin, args...)
 
 	// We set this so we can also easily kill the sleep process the shell spawns.
 	cmd.SysProcAttr = &syscall.SysProcAttr{
@@ -125,6 +152,11 @@ func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
 		}
 	})
 	return cmd, file
+
+}
+
+func cmd(ctx context.Context, t *testing.T, oom, nice int) (*exec.Cmd, string) {
+	return binCmd(ctx, t, TestBin, oom, nice)
 }
 
 func expectedOOMScore(t *testing.T) int {
@@ -171,3 +203,14 @@ func execArgs(oom int, nice int) []string {
 	execArgs = append(execArgs, "--")
 	return execArgs
 }
+
+func setCaps(t *testing.T, bin string, caps ...string) error {
+	t.Helper()
+
+	setcap := fmt.Sprintf("sudo setcap %s=ep %s", strings.Join(caps, ", "), bin)
+	out, err := exec.CommandContext(context.Background(), "sh", "-c", setcap).CombinedOutput()
+	if err != nil {
+		return xerrors.Errorf("setcap %q (%s): %w", setcap, out, err)
+	}
+	return nil
+}