Set /proc/sys/net/core/bpf_jit_{enable,kallsyms} to 1

bpf_jit_enable = 1 is mostly a no-op since on most future devices it will be force enabled by BPF_JIT_ALWAYS_ON It is required for Pixel 3 & co Linux 4.9 based devices, which can only do JIT for some ebpf programs (and thus can't enable BPF_JIT_ALWAYS_ON without some netd programs refusing to load) We also set bpf_jit_kallsyms = 1 because it makes debugging failures easier, but it is incompatible with bpf_jit_harden != 0. We don't bother setting bpf_jit_harden because we both want bpf_jit_kallsyms to work, and because the only entity allowed to load ebpf programs is the bpfloader and it only loads trusted (verified file system signed) prebuilt bpf programs. Test: built and booted, verified settings Bug: 140377409 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
2020-01-29 20:27:16 -08:00 · 2020-01-29 20:27:16 -08:00 · a391148649
commit a391148649
parent 083c0776d9
1 changed files with 8 additions and 0 deletions
--- a/bpfloader/bpfloader.rc
+++ b/bpfloader/bpfloader.rc
@ -31,3 +31,11 @@ service bpfloader /system/bin/bpfloader
    #
    rlimit memlock 1073741824 1073741824
    oneshot
+
+# Need to make sure this runs *before* the bpfloader.
+on early-init
+    # Enable the eBPF JIT -- but do note that it is likely already force enabled
+    # by the kernel config option BPF_JIT_ALWAYS_ON
+    write /proc/sys/net/core/bpf_jit_enable 1
+    # Enable JIT kallsyms export for privileged users only
+    write /proc/sys/net/core/bpf_jit_kallsyms 1