Some ebpf code cannot be loaded on too old kernels.
Sometimes we want a different - more advanced - version of an ebpf program
to be loaded on a newer kernel.
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9e93e7246951916e6d60544575337a7a19c82886
This is backwards. netd should require them,
and they should require bpfloader, not the other way round.
Test: build, atest, ls -lZ /sys/fs/bpf /system/etc/bpf still shows all maps/progs
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iecd95cb69eaad97979af163e63489309826546f6
Include time_in_state.o in device builds, causing time in state
programs & maps to be loaded.
Bug: 138317993
Test: make bpfloader; check that time_in_state.o is built
Change-Id: I4849bda645d7a02e3f889068987a79ce3f78d138
Signed-off-by: Connor O'Brien <connoro@google.com>
This is to allow fixing a broken OffloadUtils netd test, but this will
also be useful for future support to make programs per kernel version.
We make the string versions of the enum more readable, because there
is exactly one user:
adb shell dumpsys netd | egrep -i bpf
BPF module status: enabled
BPF support level: Extended [4.14]
...
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I843bd7355703a78acc8343ca7f647ce9366927eb
Unlike maps, BPF programs currently have no natural place to declare
metadata like their desired owner & group. Add a bpf_prog_def struct
to allow setting these, located in a new "progs" section, and update
bpfloader to chown pinned programs appropriately based on this
information.
Add a #DEFINE_BPF_PROG macro to simplify adding this data for
programs. The struct name is the name of the corresponding function
with "_def" appended, which bpfloader uses to correlate a bpf_map_def
with the correct program.
Also have bpfloader set mode to 0440 for all programs, since only read
access should ever be needed
Bug: 149434314
Test: load a program that uses DEFINE_BPF_PROG and check that owner &
group are set as expected
Change-Id: I914c355f114368fe53de2c7f272d877463cba461
Signed-off-by: Connor O'Brien <connoro@google.com>
so that it can change the uid/gid of pinned bpf progs and maps
Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id23f9caaddf620d4e99d970523f0a9768826e0d7
(being moved from //system/netd/tests/bpf_base_test.cpp)
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7a38eff6d86a1bcd6dde193fd360d198bd57a900
(we don't want to truncate this output, since it can be very useful
for debugging failures)
Test: builds, more useful ebpf load failure logs
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I817853f33b7f59296a041fb0d26ca3ae502b29da
Per Bernie: "in C++, inline implies internal linkage, you can drop static"
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I139af1d826d4982a1480fbee433fd9a743509786
In case it happens to get called twice in parallel on
startup. It's never a mistake to do extra calls to the
uncached version.
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2605ed2ebc4ee331b2ca6c9fa915203d70415d7f
Long term we don't even want reset() to exist.
It's simply not useful since only the bpfloader can create maps,
and thus all we can do is construct from pre-existing pinned bpf
path - and we should never destroy/unpin/delete these.
Similarly the move constructor is probably spurious.
Basically the only real use for reset() is in tests,
and even there the overall utility is not clear.
Hence, in the mean time, make it harder to use incorrectly,
and harder to use in general.
To do that we get rid of reset() -> you must call reset(-1)
and we eliminate the ability to call reset(unique_fd)
which has unclear fd-leaking semantics.
Also remove a spot where it is called spuriously.
Test: build, atest
Bug: 129773125
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia018224aca0005ab68809b350595485ccd3f1bd3
switch over to the newer pinned path using constructor
Test: build, atest
mMapFd no longer shows up in this file
Bug: 129773125
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie70149ffd5a541c80b35804ffd38df07f28b509b
(and remove the old straight from fd constructor)
Note that BpfMapRO is not yet truly compile time read-only,
since it still has methods that can modify things (although those
modifications will of course fail due to the map fd being r/o).
Test: build, atest with followup fixes
Bug: 129773125
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I70b511e3f0a62cd4d9d5a923e658b1086337ec4c
Test: build, atest
mMapFd no longer shows up in this file
Bug: 129773125
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie49f0027d0f04565426ed800b079800b364dd049
bpf_jit_enable = 1 is mostly a no-op since on most future
devices it will be force enabled by BPF_JIT_ALWAYS_ON
It is required for Pixel 3 & co Linux 4.9 based devices, which
can only do JIT for some ebpf programs (and thus can't enable
BPF_JIT_ALWAYS_ON without some netd programs refusing to load)
We also set bpf_jit_kallsyms = 1 because it makes debugging
failures easier, but it is incompatible with bpf_jit_harden != 0.
We don't bother setting bpf_jit_harden because we both want
bpf_jit_kallsyms to work, and because the only entity allowed
to load ebpf programs is the bpfloader and it only loads trusted
(verified file system signed) prebuilt bpf programs.
Test: built and booted, verified settings
Bug: 140377409
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
(instead of explicit memlock limit)
This reduces chance for memory allocation failures.
Any bpfloader failure is a critical boot time failure
(since without eBPF initializing properly netd will crash and
device will enter crash loop).
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ed0118d63c53100e7431324914bf22e9870abfe
Keys and values passed in to lookup/update/delete are not modified.
Test: builds
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I222615af7695f41bfb59c872c7368829631c08a9
Remove libnetdutils dependency because bpf is being used for things other
than networking these days, and we don't want to make libnetdutils
vendor-available in the future. libbase provides an alternative type now.
Bug: 140330870
Test: atest libbpf_android_test netd_integration_test netd_unit_test
libnetdbpf_test bpf_module_test
Change-Id: I72ae8cd7f58a49bfc7dcb914a332a4c4bad5dea5
When accessing maps keys are always const/read-only.
Similarly for the value when it is being stored in the map.
This eliminates four const_casts.
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Icc57b46a8e9e81b5b06264260bfbf34a4ba9105d
Note, this does not add libbpf_load_test as well because this test
requires adding a bpf program to the system image.
Bug: N/A
Test: `atest --test-mapping .`
Change-Id: I770ec4876e1cb93a526e99bcb5a234f964f46971
We can't specify which union member we want to initialize
or the compiler will be too smart and do a partial init,
but a = {} will still zero the entire struct.
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I0f9208be1be65cec35d848d37a0142d03e0919bf