(no selinux consequences to this in and of itself,
though required for follow up selinux changes)
Test: TreeHugger, manual
Bug: 218408035
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id5ef7f3b119743ef26b062068756c4e0f754e694
This also fixes a permissions issue if a non-root user is set. The read
permissions should be set before the file is set as non-root to ensure
that the permissions can be set without error.
Bump the BPF loader version.
Bug: 203462310
Test: Ensure that vendor skfilter bpf programs can load
Change-Id: Ib6b9a64d8652ff464c9d4d734bb8ae351673b6ce
Allow vendors to use bpf programs, but limit to tracepoints
for now (other types of programs, for instance skfilter, aren't
safe to expose, because the kernel gives us limited ways to
control which resources can have BPF programs attached, and
some shared resources only support a single BPF program at an
attach point).
Bug: 140330870
Bug: 162057235
Test: install bpf program to /vendor/etc/bpf/ and use it.
Test: atest libbpf_load_test
Change-Id: I6c876fe52739c38db73689ffd784167e7d35d58a
btfloader uses upstream libbpf & libelf to parse the BTF sections of a
bpf .o file, load BTF information into the kernel, and identify the
BTF type ids corresponding to each map's keys and values.
Extend bpfloader to run btfloader on any .o file with a .BTF
section. We pass btfloader socket and pipe fds, which it will use to
send back a BTF fd and the key & value type ids, respectively.
To ensure a btfloader bug can't block bpfloader indefinitely, wait for
btfloader to run with a short timeout and use nonblocking socket &
pipe for communication.
Finally, add a check to BpfLoadTest to verify that map BTF is loaded
as expected.
Test: build & boot; existing programs load successfully
Test: libbpf_load_test
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: I7bac83a08c2dc452bdb9030f1e74781116c1dd5c
netd.c is moved from netd to tethering mainline module.
Bump BpfLoader to v0.9
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: I0b8ba90bbbe4e16d979c4a40d6fdbbaac0d14d27
This is to prevent a name collision with "upstream"
libbpf (external/libbpf) which is built using the same name.
Bug: 203823368
Test: build cuttlefish
Test: m libbpf_load_test
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: I9bb798a9b5d832511bed471f01575bba14a1a9d3
Move BPF map definition and utilities to a common place that easy to be
referenced from both mainline module and platform code.
Bug: 202086915
Test: m; flash; boot
Test: cd system/netd/ && atest
Test: cd packages/modules/Connectivity && atest
Test: m gpuservice_unittest libtimeinstate_test bpf_module_test
CtsAppOpsTestCases libbpf_load_test VtsBootconfigTest
vts_test_binary_bpf_module bpf_benchmark libbpf_load_test
libbpf_android_test
Change-Id: Ib15cf78c2da97bff835fb406c866676eec77c013
Needed to not have to carry
https://android-review.googlesource.com/c/kernel/common/+/1886896
for 5.16-rc1+ kernels
We set this before the bpfloader even executes so it will always be
ready before anyone has a chance to use it.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I418a534d6550c5b57286e261e6988d2debdf237f
This change enables Async mode ARM MTE in the bpfloader process on compatible
hardware and has no effect otherwise.
Bug: 181603044
Test: atest under system/bpf
Change-Id: I6340055fea1f97fcc781b418e2465a7961ecedf4
This is required for it to be able to create DEVMAP/DEVMAP_HASH maps.
See kernel source code in kernel/bpf/devmap.c:
static struct bpf_map *dev_map_alloc(union bpf_attr *attr) {
...
if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM);
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4f3012209186ff0e4bde8807b9032de056367132
This makes it harder for system and mainline bpf programs to
conflict with each other, thus enabling easier mainline module
updates.
Test: builds and boots, atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic1b69bb1ddc4a10bd4861dadbd6b97e2520c532d
so there is no longer a need to look at any properties
or api levels.
Test: builds, atest, TreeHugger
Bug: 167500195
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia5479db807f5444e48251dff45fd42fff610d5ca
(should make it easier to observe logs via adb)
Test: atest, TreeHugger
Bug: 150040815
Bug: 160546011
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I20d6ede4ddf516a91c707aa08cf3a92aed39b03b
(probably a loss for reliability, but possibly a win for device boot time)
Test: build, atest, TreeHugger
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id62009a9f888ce2092b8a1e7aef24ae4224109d5
should eliminate netd crash loops due to boottime bpfloader failure
Test: built and booted on cuttlefish, atest of various net tests
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If11d491d78958ff18290e826011d2593f58d217d
Reasoning: critical load failures for netd bpf programs will just result
in unpredictable behaviour later on. For example netd/systemserver
crash loops.
Test: builds
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iefa01e60cd0a9a223e96411726a199bfb4857a5a
... which also means waitForProgsLoaded() has to be a no-op on pre-bpf devices.
This is more consistent: it's weird to have bpf.progs_loaded set on a 4.4 device.
Test: builds, atest
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iddabcf56c187ea518dd2e4d8db451b2f6902aa8e
This is backwards. netd should require them,
and they should require bpfloader, not the other way round.
Test: build, atest, ls -lZ /sys/fs/bpf /system/etc/bpf still shows all maps/progs
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iecd95cb69eaad97979af163e63489309826546f6
Include time_in_state.o in device builds, causing time in state
programs & maps to be loaded.
Bug: 138317993
Test: make bpfloader; check that time_in_state.o is built
Change-Id: I4849bda645d7a02e3f889068987a79ce3f78d138
Signed-off-by: Connor O'Brien <connoro@google.com>
so that it can change the uid/gid of pinned bpf progs and maps
Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id23f9caaddf620d4e99d970523f0a9768826e0d7
bpf_jit_enable = 1 is mostly a no-op since on most future
devices it will be force enabled by BPF_JIT_ALWAYS_ON
It is required for Pixel 3 & co Linux 4.9 based devices, which
can only do JIT for some ebpf programs (and thus can't enable
BPF_JIT_ALWAYS_ON without some netd programs refusing to load)
We also set bpf_jit_kallsyms = 1 because it makes debugging
failures easier, but it is incompatible with bpf_jit_harden != 0.
We don't bother setting bpf_jit_harden because we both want
bpf_jit_kallsyms to work, and because the only entity allowed
to load ebpf programs is the bpfloader and it only loads trusted
(verified file system signed) prebuilt bpf programs.
Test: built and booted, verified settings
Bug: 140377409
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
(instead of explicit memlock limit)
This reduces chance for memory allocation failures.
Any bpfloader failure is a critical boot time failure
(since without eBPF initializing properly netd will crash and
device will enter crash loop).
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ed0118d63c53100e7431324914bf22e9870abfe
The rlimit was recently set to 8MB for bpfloader in
Change Id Ib97d1d304f4ea9a6215afed76e1c1e28f1415221
This could be causing intermittent failures to create maps, let us
increase it to 64MB for bpfloader.
Bug: 134558982
Change-Id: Iabb2e6c7d9ea3843ae28f2c465756e5aacdf1904
Signed-off-by: Joel Fernandes <joelaf@google.com>
Currently the bpfloader does not try to load programs if
bpf.progs_loaded is set. However there is no harm in trying to reload
programs because the loader is designed to reuse previously created maps
and programs if they were created. On the other hand, not trying to load
if property is set is harmful since the property prevents retries. So
prevent this from happening.
Bug: 134558982
Change-Id: I61dfb8827ca37c9a1ff4e0912ca96f06a36c37d6
Signed-off-by: Joel Fernandes <joelaf@google.com>
The bpfloader should not try to load bpf objects on unsupported devices
since devices with 4.4 kernel can have bpf maps but not bpf pogram
support. Creating bpf maps on those devices would mislead the framework
code to use an unsupported code path and crash system server.
Bug: 130687855
Test: cuttlefish boot test for 4.4 kernel.
Change-Id: I43ffc01e1099ee3effaa6ba30aa78080d5bec72f
Since bpfloader is only used to create the bpf maps and load bpf
programs on android devices. It is okay to set the MEMLOCK rlimit of
bpfloader to the proper size needed by bpf maps regardless of the global
device values. It helps partner to adopt the bpf feature without
changing the device configuration.
Bug: 119279144
Bug: 129246448
Test: remove device specific rlimit and build and verify bpf maps
created.
Change-Id: Ib97d1d304f4ea9a6215afed76e1c1e28f1415221
This was necessary when the netd BPF program lived in system/bpf,
but it's no longer necessary.
Test: m
Bug: 65674744
Change-Id: I1fcf7e41276341b1258adf9d3795e81b6139f84f
The data collected by this program currently has no consumers, so
there's no need to load it or include it in the bpfloader build yet.
Test: make bpfloader
Change-Id: I206d94e3da34dc3b81bdbfdd4a00b05cfb624f48
Signed-off-by: Connor O'Brien <connoro@google.com>
bpfloader now has CAP_SYS_ADMIN, which allows it to load programs like
time_in_state.o that use eBPF's tracepoint support.
Test: make bpfloader
Test: ls /sys/fs/bpf/ shows time_in_state progs and maps are created
Bug: 112334572
Bug: 78498733
Change-Id: Iedff50381c9ee2b3bdfc6c01b2e2ccaeaf0917d5
Signed-off-by: Connor O'Brien <connoro@google.com>
The property bpf.progs_loaded will be used by services expecting BPF
programs to be loaded and wait before they are loaded.
Bug: 112334572
Change-Id: I19daa0caa84e2659e8790f0dd551d95ab824e13b
Signed-off-by: Joel Fernandes <joelaf@google.com>
With this, bpfloader does not need to be started by netd and will load
at boot time.
Bug: 112334572
Change-Id: Iad777ed0a5bb5995dbf2fc176a220292a4c5e41f
Signed-off-by: Joel Fernandes <joelaf@google.com>
Change the netd bpf program to the new format. Adding map definition and
necessary helper functions to the kernel program code. Move the netd bpf
programs out of bpfloader to a new directory.
Test: dumpsys netd trafficcontroller
Bug: 112334572
Change-Id: I9287285d188e966193532b1522b5d3e67e32e930
