diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2022-12-09 21:14:18 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-12-09 21:14:18 +0000 |
| commit | 9675ff835adea8c1665d60df562ffaa2782b2934 (patch) | |
| tree | bb931100381546cc34c1d4308dbeee8c8be639df | |
| parent | fab44232b88da755a8ecb4457f4159d5357efdae (diff) | |
| parent | 1372b3ad0f05f8832e8cbb7cbb9e320c95ed0acf (diff) | |
| download | bpf-9675ff835adea8c1665d60df562ffaa2782b2934.tar.gz | |
Merge "bpfloader - move sysctl setting from rc to binary" am: 2393f1df4d am: 1372b3ad0f
Original change: https://android-review.googlesource.com/c/platform/system/bpf/+/2325617
Change-Id: I6f75b6a8fd3653b71c54aac41b7c629876c0b04f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | bpfloader/BpfLoader.cpp | 38 | ||||
| -rw-r--r-- | bpfloader/bpfloader.rc | 8 |
2 files changed, 38 insertions, 8 deletions
diff --git a/bpfloader/BpfLoader.cpp b/bpfloader/BpfLoader.cpp index c29c97e..ea074fa 100644 --- a/bpfloader/BpfLoader.cpp +++ b/bpfloader/BpfLoader.cpp @@ -238,10 +238,48 @@ int createSysFsBpfSubDir(const char* const prefix) { return 0; } +// Technically 'value' doesn't need to be newline terminated, but it's best +// to include a newline to match 'echo "value" > /proc/sys/...foo' behaviour, +// which is usually how kernel devs test the actual sysctl interfaces. +int writeProcSysFile(const char *filename, const char *value) { + android::base::unique_fd fd(open(filename, O_WRONLY | O_CLOEXEC)); + if (fd < 0) { + const int err = errno; + ALOGE("open('%s', O_WRONLY | O_CLOEXEC) -> %s", filename, strerror(err)); + return -err; + } + int len = strlen(value); + int v = write(fd, value, len); + if (v < 0) { + const int err = errno; + ALOGE("write('%s', '%s', %d) -> %s", filename, value, len, strerror(err)); + return -err; + } + if (v != len) { + // In practice, due to us only using this for /proc/sys/... files, this can't happen. + ALOGE("write('%s', '%s', %d) -> short write [%d]", filename, value, len, v); + return -EINVAL; + } + return 0; +} + int main(int argc, char** argv) { (void)argc; android::base::InitLogging(argv, &android::base::KernelLogger); + // Linux 5.16-rc1 changed the default to 2 (disabled but changeable), but we need 0 (enabled) + // (this writeFile is known to fail on at least 4.19, but always defaults to 0 on pre-5.13, + // on 5.13+ it depends on CONFIG_BPF_UNPRIV_DEFAULT_OFF) + if (writeProcSysFile("/proc/sys/kernel/unprivileged_bpf_disabled", "0\n") && + android::bpf::isAtLeastKernelVersion(5, 13, 0)) return 1; + + // Enable the eBPF JIT -- but do note that on 64-bit kernels it is likely + // already force enabled by the kernel config option BPF_JIT_ALWAYS_ON + if (writeProcSysFile("/proc/sys/net/core/bpf_jit_enable", "1\n")) return 1; + + // Enable JIT kallsyms export for privileged users only + if (writeProcSysFile("/proc/sys/net/core/bpf_jit_kallsyms", "1\n")) return 1; + // This is ugly... but this allows InProcessTethering which runs as system_server, // instead of as network_stack to access /sys/fs/bpf/tethering, which would otherwise // (due to genfscon rules) have fs_bpf_tethering selinux context, which is restricted diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc index 1d6248e..b1a6bdb 100644 --- a/bpfloader/bpfloader.rc +++ b/bpfloader/bpfloader.rc @@ -15,14 +15,6 @@ # considered to have booted successfully. # on load_bpf_programs - # Linux 5.16-rc1 has changed the default to 2 (disabled but changeable), - # but we need 0 - write /proc/sys/kernel/unprivileged_bpf_disabled 0 - # Enable the eBPF JIT -- but do note that on 64-bit kernels it is likely - # already force enabled by the kernel config option BPF_JIT_ALWAYS_ON - write /proc/sys/net/core/bpf_jit_enable 1 - # Enable JIT kallsyms export for privileged users only - write /proc/sys/net/core/bpf_jit_kallsyms 1 exec_start bpfloader service bpfloader /system/bin/bpfloader |