commit ba7a418cab3022556773fd677478f7cd2a2dea5f
author Maciej Żenczykowski <maze@google.com> Thu Mar 20 11:50:17 2025 -0700
committer Maciej Żenczykowski <maze@google.com> Thu Mar 20 11:54:00 2025 -0700
tree 5cd5c568bb0ec0b73b6490c2de4ae956c56e8410
parent 54b07a719c269adb16915984b183eced8d11d7f4

NetBpfLoad: 25Q2+ enforce 1GiB+ memlock

On at least some kernel versions sufficient memlock
is needed for some [types? larger? preallocated?]
bpf map creation requests to succeed.

(the kernel's bpf subsys ignores CAP_IPC_LOCK)

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia6975e854e6398ee9c56ce836b278b570e17a0f9

bpf/netd/BpfHandler.cpp

diff --git a/bpf/netd/BpfHandler.cpp b/bpf/netd/BpfHandler.cpp
index d41aa81..680c05e 100644
--- a/bpf/netd/BpfHandler.cpp
+++ b/bpf/netd/BpfHandler.cpp
@@ -268,6 +268,16 @@
     RETURN_IF_NOT_OK(initMaps());
 
     if (isAtLeast25Q2) {
+        struct rlimit limit = {
+            .rlim_cur = 1u << 30,  // 1 GiB
+            .rlim_max = 1u << 30,  // 1 GiB
+        };
+        // 25Q2 netd.rc includes "rlimit memlock 1073741824 1073741824"
+        // so this should be a no-op, and thus just succeed.
+        // make sure it isn't lowered in platform netd.rc...
+        if (setrlimit(RLIMIT_MEMLOCK, &limit))
+            return statusFromErrno(errno, "Failed to set 1GiB RLIMIT_MEMLOCK");
+
         // Make sure netd can create & write maps.  sepolicy is V+, but enough to enforce on 25Q2+
         int key = 1;
         int value = 123;