diff options
author | Maciej Żenczykowski <maze@google.com> | 2020-01-27 15:32:45 +0000 |
---|---|---|
committer | Maciej Żenczykowski <maze@google.com> | 2020-01-27 15:33:15 +0000 |
commit | 3c057e6b7b48bc3c2c1ef04b3536ff8460933e97 (patch) | |
tree | af1c1d62dc2656ec88172c053de0182e0adacea7 /bpfloader | |
parent | 77494d2b70f8cc8b08307f0dfe13d6b79b18e0f1 (diff) | |
download | bpf-3c057e6b7b48bc3c2c1ef04b3536ff8460933e97.tar.gz |
Revert "Grant IPC_LOCK capability to bpfloader"
This reverts commit 77494d2b70f8cc8b08307f0dfe13d6b79b18e0f1.
This doesn't apparently work...
Kernel doesn't actually test capabilities, just blindly charges
against user's memlock limit:
//kernel/bpf/syscall.c:
static int bpf_charge_memlock(struct user_struct *user, u32 pages) {
unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
if (atomic_long_add_return(pages, &user->locked_vm) > memlock_limit) {
atomic_long_sub(pages, &user->locked_vm);
return -EPERM;
}
return 0;
}
Test: N/A, revert
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Icf6d6e8a36e4b9f3771a5ce80e25ef3644ff4e83
Diffstat (limited to 'bpfloader')
-rw-r--r-- | bpfloader/bpfloader.rc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc index 924112e..31747fb 100644 --- a/bpfloader/bpfloader.rc +++ b/bpfloader/bpfloader.rc @@ -1,4 +1,9 @@ service bpfloader /system/bin/bpfloader class main - capabilities SYS_ADMIN IPC_LOCK + capabilities SYS_ADMIN + # Set RLIMIT_MEMLOCK to 64MB for bpfloader + # Actually only 8MB is needed, but since bpfloader runs as root, it shares + # the global rlimit. Once bpfloader is running as its own user in the + # future, it will have dedicated rlimit to itself and this can be 8MB. + rlimit memlock 67108864 67108864 oneshot |