This is required for it to be able to create DEVMAP/DEVMAP_HASH maps.
See kernel source code in kernel/bpf/devmap.c:
static struct bpf_map *dev_map_alloc(union bpf_attr *attr) {
...
if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM);
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4f3012209186ff0e4bde8807b9032de056367132
so there is no longer a need to look at any properties
or api levels.
Test: builds, atest, TreeHugger
Bug: 167500195
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia5479db807f5444e48251dff45fd42fff610d5ca
(probably a loss for reliability, but possibly a win for device boot time)
Test: build, atest, TreeHugger
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id62009a9f888ce2092b8a1e7aef24ae4224109d5
should eliminate netd crash loops due to boottime bpfloader failure
Test: built and booted on cuttlefish, atest of various net tests
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If11d491d78958ff18290e826011d2593f58d217d
so that it can change the uid/gid of pinned bpf progs and maps
Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id23f9caaddf620d4e99d970523f0a9768826e0d7
bpf_jit_enable = 1 is mostly a no-op since on most future
devices it will be force enabled by BPF_JIT_ALWAYS_ON
It is required for Pixel 3 & co Linux 4.9 based devices, which
can only do JIT for some ebpf programs (and thus can't enable
BPF_JIT_ALWAYS_ON without some netd programs refusing to load)
We also set bpf_jit_kallsyms = 1 because it makes debugging
failures easier, but it is incompatible with bpf_jit_harden != 0.
We don't bother setting bpf_jit_harden because we both want
bpf_jit_kallsyms to work, and because the only entity allowed
to load ebpf programs is the bpfloader and it only loads trusted
(verified file system signed) prebuilt bpf programs.
Test: built and booted, verified settings
Bug: 140377409
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
(instead of explicit memlock limit)
This reduces chance for memory allocation failures.
Any bpfloader failure is a critical boot time failure
(since without eBPF initializing properly netd will crash and
device will enter crash loop).
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ed0118d63c53100e7431324914bf22e9870abfe
The rlimit was recently set to 8MB for bpfloader in
Change Id Ib97d1d304f4ea9a6215afed76e1c1e28f1415221
This could be causing intermittent failures to create maps, let us
increase it to 64MB for bpfloader.
Bug: 134558982
Change-Id: Iabb2e6c7d9ea3843ae28f2c465756e5aacdf1904
Signed-off-by: Joel Fernandes <joelaf@google.com>
Since bpfloader is only used to create the bpf maps and load bpf
programs on android devices. It is okay to set the MEMLOCK rlimit of
bpfloader to the proper size needed by bpf maps regardless of the global
device values. It helps partner to adopt the bpf feature without
changing the device configuration.
Bug: 119279144
Bug: 129246448
Test: remove device specific rlimit and build and verify bpf maps
created.
Change-Id: Ib97d1d304f4ea9a6215afed76e1c1e28f1415221
With this, bpfloader does not need to be started by netd and will load
at boot time.
Bug: 112334572
Change-Id: Iad777ed0a5bb5995dbf2fc176a220292a4c5e41f
Signed-off-by: Joel Fernandes <joelaf@google.com>
