summaryrefslogtreecommitdiff
path: root/bpfloader
diff options
context:
space:
mode:
authorMaciej Żenczykowski <maze@google.com>2020-01-27 15:32:45 +0000
committerMaciej Żenczykowski <maze@google.com>2020-01-27 15:33:15 +0000
commit3c057e6b7b48bc3c2c1ef04b3536ff8460933e97 (patch)
treeaf1c1d62dc2656ec88172c053de0182e0adacea7 /bpfloader
parent77494d2b70f8cc8b08307f0dfe13d6b79b18e0f1 (diff)
downloadbpf-3c057e6b7b48bc3c2c1ef04b3536ff8460933e97.tar.gz
Revert "Grant IPC_LOCK capability to bpfloader"
This reverts commit 77494d2b70f8cc8b08307f0dfe13d6b79b18e0f1. This doesn't apparently work... Kernel doesn't actually test capabilities, just blindly charges against user's memlock limit: //kernel/bpf/syscall.c: static int bpf_charge_memlock(struct user_struct *user, u32 pages) { unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; if (atomic_long_add_return(pages, &user->locked_vm) > memlock_limit) { atomic_long_sub(pages, &user->locked_vm); return -EPERM; } return 0; } Test: N/A, revert Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Icf6d6e8a36e4b9f3771a5ce80e25ef3644ff4e83
Diffstat (limited to 'bpfloader')
-rw-r--r--bpfloader/bpfloader.rc7
1 files changed, 6 insertions, 1 deletions
diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc
index 924112e..31747fb 100644
--- a/bpfloader/bpfloader.rc
+++ b/bpfloader/bpfloader.rc
@@ -1,4 +1,9 @@
service bpfloader /system/bin/bpfloader
class main
- capabilities SYS_ADMIN IPC_LOCK
+ capabilities SYS_ADMIN
+ # Set RLIMIT_MEMLOCK to 64MB for bpfloader
+ # Actually only 8MB is needed, but since bpfloader runs as root, it shares
+ # the global rlimit. Once bpfloader is running as its own user in the
+ # future, it will have dedicated rlimit to itself and this can be 8MB.
+ rlimit memlock 67108864 67108864
oneshot
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 03:20:13 +0000