Age | Commit message (Collapse) | Author |
|
allow bpf .o files to specify desired selinux context
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9d7449e477c371053a34191a2a9a935ba927d4b3
(cherry picked from commit 41817139636bdb58022d4206662b25f375587c68)
Merged-In: I9d7449e477c371053a34191a2a9a935ba927d4b3
|
|
For use by:
- maps netd should have read but not write access to
(needed due to netd being root with DAC_OVERRIDE,
and thus not obeying standard unix permissions)
- programs that netd should have access to but
not netutils_wrappers (which due to being able to
run iptables, needs access to xt_bpf programs)
Bug: 218408035
Test: booted on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I72b106692a25077ff54252fd93db81f46b52125d
(cherry picked from commit 32c0b8f46ede0878a06b9a72b7bf547a49cefbd4)
Merged-In: I72b106692a25077ff54252fd93db81f46b52125d
|
|
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I613b84342fba7b425fb10af157fe0a6a731b71cb
(cherry picked from commit 7acf938127d2b9e92d038e9c77977cc209003f61)
Merged-In: I613b84342fba7b425fb10af157fe0a6a731b71cb
|
|
This is needed due to the other half of this topic getting into tm-dev via automerger via sc-mainline-prod
Also this topic was always meant for T.
Original change: https://android-review.googlesource.com/c/platform/system/bpf/+/2071267
Test: manual
Bug: 218408035
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Merged-In: Id5ef7f3b119743ef26b062068756c4e0f754e694
Change-Id: I6ffab207294946357f3a97685d3eacc75b724e89
|
|
This also fixes a permissions issue if a non-root user is set. The read
permissions should be set before the file is set as non-root to ensure
that the permissions can be set without error.
Bump the BPF loader version.
Bug: 203462310
Test: Ensure that vendor skfilter bpf programs can load
Change-Id: Ib6b9a64d8652ff464c9d4d734bb8ae351673b6ce
|
|
Allow vendors to use bpf programs, but limit to tracepoints
for now (other types of programs, for instance skfilter, aren't
safe to expose, because the kernel gives us limited ways to
control which resources can have BPF programs attached, and
some shared resources only support a single BPF program at an
attach point).
Bug: 140330870
Bug: 162057235
Test: install bpf program to /vendor/etc/bpf/ and use it.
Test: atest libbpf_load_test
Change-Id: I6c876fe52739c38db73689ffd784167e7d35d58a
|
|
Boots early. logd no workie!
Bug: 210919187
Test: see bpfloader logs
Change-Id: Ib5669cb64684dfa18307ae5784349df3548d66d8
|
|
|
|
btfloader uses upstream libbpf & libelf to parse the BTF sections of a
bpf .o file, load BTF information into the kernel, and identify the
BTF type ids corresponding to each map's keys and values.
Extend bpfloader to run btfloader on any .o file with a .BTF
section. We pass btfloader socket and pipe fds, which it will use to
send back a BTF fd and the key & value type ids, respectively.
To ensure a btfloader bug can't block bpfloader indefinitely, wait for
btfloader to run with a short timeout and use nonblocking socket &
pipe for communication.
Finally, add a check to BpfLoadTest to verify that map BTF is loaded
as expected.
Test: build & boot; existing programs load successfully
Test: libbpf_load_test
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: I7bac83a08c2dc452bdb9030f1e74781116c1dd5c
|
|
netd.c is moved from netd to tethering mainline module.
Bump BpfLoader to v0.9
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: I0b8ba90bbbe4e16d979c4a40d6fdbbaac0d14d27
|
|
Use a generic name so that it can contain more bpf related headers.
Bug: 202086915
Test: build
Change-Id: I36d93cbc77723464df84023752915e1e79e623df
|
|
This is to prevent a name collision with "upstream"
libbpf (external/libbpf) which is built using the same name.
Bug: 203823368
Test: build cuttlefish
Test: m libbpf_load_test
Signed-off-by: Connor O'Brien <connoro@google.com>
Change-Id: I9bb798a9b5d832511bed471f01575bba14a1a9d3
|
|
Move BPF map definition and utilities to a common place that easy to be
referenced from both mainline module and platform code.
Bug: 202086915
Test: m; flash; boot
Test: cd system/netd/ && atest
Test: cd packages/modules/Connectivity && atest
Test: m gpuservice_unittest libtimeinstate_test bpf_module_test
CtsAppOpsTestCases libbpf_load_test VtsBootconfigTest
vts_test_binary_bpf_module bpf_benchmark libbpf_load_test
libbpf_android_test
Change-Id: Ib15cf78c2da97bff835fb406c866676eec77c013
|
|
Test: N/A
Bug: 204131517
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia6a8ca026f3ab403443e130dceb2aca0ce0f2343
|
|
Needed to not have to carry
https://android-review.googlesource.com/c/kernel/common/+/1886896
for 5.16-rc1+ kernels
We set this before the bpfloader even executes so it will always be
ready before anyone has a chance to use it.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I418a534d6550c5b57286e261e6988d2debdf237f
|
|
This change enables Async mode ARM MTE in the bpfloader process on compatible
hardware and has no effect otherwise.
Bug: 181603044
Test: atest under system/bpf
Change-Id: I6340055fea1f97fcc781b418e2465a7961ecedf4
|
|
This is required for it to be able to create DEVMAP/DEVMAP_HASH maps.
See kernel source code in kernel/bpf/devmap.c:
static struct bpf_map *dev_map_alloc(union bpf_attr *attr) {
...
if (!capable(CAP_NET_ADMIN)) return ERR_PTR(-EPERM);
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4f3012209186ff0e4bde8807b9032de056367132
|
|
Added SPDX-license-identifier-Apache-2.0 to:
Android.bp
bpfloader/Android.bp
libbpf_android/Android.bp
progs/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: Ia881b61da1755797085916aab5325375c82ed76e
|
|
This makes it harder for system and mainline bpf programs to
conflict with each other, thus enabling easier mainline module
updates.
Test: builds and boots, atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic1b69bb1ddc4a10bd4861dadbd6b97e2520c532d
|
|
Test: builds, atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie3f1146f71f75b982ffc4cd4176c5624efb6a63e
|
|
so there is no longer a need to look at any properties
or api levels.
Test: builds, atest, TreeHugger
Bug: 167500195
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia5479db807f5444e48251dff45fd42fff610d5ca
|
|
Test: flash and boot successfully
Change-Id: Ia1a713024686c36e34f7cf525a284abc00fe56e2
|
|
(should make it easier to observe logs via adb)
Test: atest, TreeHugger
Bug: 150040815
Bug: 160546011
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I20d6ede4ddf516a91c707aa08cf3a92aed39b03b
|
|
This reverts commit 838b81de8f20577d517e7c48c8fb39d11e4efc85.
Test: build, atest, TreeHugger
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7447ef782bab90208046a4e5698301ab0e08da56
|
|
(probably a loss for reliability, but possibly a win for device boot time)
Test: build, atest, TreeHugger
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id62009a9f888ce2092b8a1e7aef24ae4224109d5
|
|
should eliminate netd crash loops due to boottime bpfloader failure
Test: built and booted on cuttlefish, atest of various net tests
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If11d491d78958ff18290e826011d2593f58d217d
|
|
failure.
Reasoning: critical load failures for netd bpf programs will just result
in unpredictable behaviour later on. For example netd/systemserver
crash loops.
Test: builds
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iefa01e60cd0a9a223e96411726a199bfb4857a5a
|
|
... which also means waitForProgsLoaded() has to be a no-op on pre-bpf devices.
This is more consistent: it's weird to have bpf.progs_loaded set on a 4.4 device.
Test: builds, atest
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iddabcf56c187ea518dd2e4d8db451b2f6902aa8e
|
|
This is backwards. netd should require them,
and they should require bpfloader, not the other way round.
Test: build, atest, ls -lZ /sys/fs/bpf /system/etc/bpf still shows all maps/progs
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iecd95cb69eaad97979af163e63489309826546f6
|
|
Include time_in_state.o in device builds, causing time in state
programs & maps to be loaded.
Bug: 138317993
Test: make bpfloader; check that time_in_state.o is built
Change-Id: I4849bda645d7a02e3f889068987a79ce3f78d138
Signed-off-by: Connor O'Brien <connoro@google.com>
|
|
so that it can change the uid/gid of pinned bpf progs and maps
Test: build, atest
Bug: 149434314
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id23f9caaddf620d4e99d970523f0a9768826e0d7
|
|
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9e2a7e049746ad193eea01e7c9d6786d27728c72
|
|
Test: builds, atest, /system/etc/bpf/offload.o exists
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I043369f5e0ae4315dc8db0cf70dc8806e4997fe4
|
|
bpf_jit_enable = 1 is mostly a no-op since on most future
devices it will be force enabled by BPF_JIT_ALWAYS_ON
It is required for Pixel 3 & co Linux 4.9 based devices, which
can only do JIT for some ebpf programs (and thus can't enable
BPF_JIT_ALWAYS_ON without some netd programs refusing to load)
We also set bpf_jit_kallsyms = 1 because it makes debugging
failures easier, but it is incompatible with bpf_jit_harden != 0.
We don't bother setting bpf_jit_harden because we both want
bpf_jit_kallsyms to work, and because the only entity allowed
to load ebpf programs is the bpfloader and it only loads trusted
(verified file system signed) prebuilt bpf programs.
Test: built and booted, verified settings
Bug: 140377409
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
|
|
Test: build, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5a1728fe29e510c06978a0c7c5cc90af3e9ea46d
|
|
This reverts commit 77494d2b70f8cc8b08307f0dfe13d6b79b18e0f1.
This doesn't apparently work...
Kernel doesn't actually test capabilities, just blindly charges
against user's memlock limit:
//kernel/bpf/syscall.c:
static int bpf_charge_memlock(struct user_struct *user, u32 pages) {
unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
if (atomic_long_add_return(pages, &user->locked_vm) > memlock_limit) {
atomic_long_sub(pages, &user->locked_vm);
return -EPERM;
}
return 0;
}
Test: N/A, revert
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Icf6d6e8a36e4b9f3771a5ce80e25ef3644ff4e83
|
|
(instead of explicit memlock limit)
This reduces chance for memory allocation failures.
Any bpfloader failure is a critical boot time failure
(since without eBPF initializing properly netd will crash and
device will enter crash loop).
Test: builds, atest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ed0118d63c53100e7431324914bf22e9870abfe
|
|
Test: builds, atest
Bug: 146787904
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iea667cf4adaccdfd8fbffae8960cbe243ae77d70
|
|
|
|
The rlimit was recently set to 8MB for bpfloader in
Change Id Ib97d1d304f4ea9a6215afed76e1c1e28f1415221
This could be causing intermittent failures to create maps, let us
increase it to 64MB for bpfloader.
Bug: 134558982
Change-Id: Iabb2e6c7d9ea3843ae28f2c465756e5aacdf1904
Signed-off-by: Joel Fernandes <joelaf@google.com>
|
|
Currently the bpfloader does not try to load programs if
bpf.progs_loaded is set. However there is no harm in trying to reload
programs because the loader is designed to reuse previously created maps
and programs if they were created. On the other hand, not trying to load
if property is set is harmful since the property prevents retries. So
prevent this from happening.
Bug: 134558982
Change-Id: I61dfb8827ca37c9a1ff4e0912ca96f06a36c37d6
Signed-off-by: Joel Fernandes <joelaf@google.com>
|
|
The bpfloader should not try to load bpf objects on unsupported devices
since devices with 4.4 kernel can have bpf maps but not bpf pogram
support. Creating bpf maps on those devices would mislead the framework
code to use an unsupported code path and crash system server.
Bug: 130687855
Test: cuttlefish boot test for 4.4 kernel.
Change-Id: I43ffc01e1099ee3effaa6ba30aa78080d5bec72f
|
|
Since bpfloader is only used to create the bpf maps and load bpf
programs on android devices. It is okay to set the MEMLOCK rlimit of
bpfloader to the proper size needed by bpf maps regardless of the global
device values. It helps partner to adopt the bpf feature without
changing the device configuration.
Bug: 119279144
Bug: 129246448
Test: remove device specific rlimit and build and verify bpf maps
created.
Change-Id: Ib97d1d304f4ea9a6215afed76e1c1e28f1415221
|
|
Test: builds
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5c48acc6aed81c38650564d2fb42e6e816b4b726
|
|
This was necessary when the netd BPF program lived in system/bpf,
but it's no longer necessary.
Test: m
Bug: 65674744
Change-Id: I1fcf7e41276341b1258adf9d3795e81b6139f84f
|
|
The data collected by this program currently has no consumers, so
there's no need to load it or include it in the bpfloader build yet.
Test: make bpfloader
Change-Id: I206d94e3da34dc3b81bdbfdd4a00b05cfb624f48
Signed-off-by: Connor O'Brien <connoro@google.com>
|
|
bpfloader now has CAP_SYS_ADMIN, which allows it to load programs like
time_in_state.o that use eBPF's tracepoint support.
Test: make bpfloader
Test: ls /sys/fs/bpf/ shows time_in_state progs and maps are created
Bug: 112334572
Bug: 78498733
Change-Id: Iedff50381c9ee2b3bdfc6c01b2e2ccaeaf0917d5
Signed-off-by: Connor O'Brien <connoro@google.com>
|
|
The property bpf.progs_loaded will be used by services expecting BPF
programs to be loaded and wait before they are loaded.
Bug: 112334572
Change-Id: I19daa0caa84e2659e8790f0dd551d95ab824e13b
Signed-off-by: Joel Fernandes <joelaf@google.com>
|
|
With this, bpfloader does not need to be started by netd and will load
at boot time.
Bug: 112334572
Change-Id: Iad777ed0a5bb5995dbf2fc176a220292a4c5e41f
Signed-off-by: Joel Fernandes <joelaf@google.com>
|
|
Change the netd bpf program to the new format. Adding map definition and
necessary helper functions to the kernel program code. Move the netd bpf
programs out of bpfloader to a new directory.
Test: dumpsys netd trafficcontroller
Bug: 112334572
Change-Id: I9287285d188e966193532b1522b5d3e67e32e930
|