bpfloader: stop loading networking bpf programs
(note: bpf.progs_loaded is set by the network bpf loader)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie1a906f31afacd656fcaa402ff348955c5f510b0
diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc
index fd6eaea..1f4016d 100644
--- a/bpfloader/bpfloader.rc
+++ b/bpfloader/bpfloader.rc
@@ -18,13 +18,13 @@
exec_start bpfloader
service bpfloader /system/bin/bpfloader
- capabilities CHOWN SYS_ADMIN NET_ADMIN
+ capabilities CHOWN SYS_ADMIN
# The following group memberships are a workaround for lack of DAC_OVERRIDE
# and allow us to open (among other things) files that we created and are
# no longer root owned (due to CHOWN) but still have group read access to
# one of the following groups. This is not perfect, but a more correct
# solution requires significantly more effort to implement.
- group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
+ group root graphics system
user root
#
# Set RLIMIT_MEMLOCK to 1GiB for bpfloader
@@ -36,9 +36,8 @@
# memlock data before bpfloader even gets a chance to run, it would fail
# if its memlock rlimit is only 8MiB - since there would be none left for it.
#
- # bpfloader succeeding is critical to system health, since a failure will
- # cause netd crashloop and thus system server crashloop... and the only
- # recovery is a full kernel reboot.
+ # bpfloader succeeding is critical to system health:
+ # the only way to recover is a full kernel reboot.
#
# We've had issues where devices would sometimes (rarely) boot into
# a crashloop because bpfloader would occasionally lose a boot time