Revert "Grant IPC_LOCK capability to bpfloader"
This reverts commit 77494d2b70f8cc8b08307f0dfe13d6b79b18e0f1.
This doesn't apparently work...
Kernel doesn't actually test capabilities, just blindly charges
against user's memlock limit:
//kernel/bpf/syscall.c:
static int bpf_charge_memlock(struct user_struct *user, u32 pages) {
unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
if (atomic_long_add_return(pages, &user->locked_vm) > memlock_limit) {
atomic_long_sub(pages, &user->locked_vm);
return -EPERM;
}
return 0;
}
Test: N/A, revert
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Icf6d6e8a36e4b9f3771a5ce80e25ef3644ff4e83
diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc
index 924112e..31747fb 100644
--- a/bpfloader/bpfloader.rc
+++ b/bpfloader/bpfloader.rc
@@ -1,4 +1,9 @@
service bpfloader /system/bin/bpfloader
class main
- capabilities SYS_ADMIN IPC_LOCK
+ capabilities SYS_ADMIN
+ # Set RLIMIT_MEMLOCK to 64MB for bpfloader
+ # Actually only 8MB is needed, but since bpfloader runs as root, it shares
+ # the global rlimit. Once bpfloader is running as its own user in the
+ # future, it will have dedicated rlimit to itself and this can be 8MB.
+ rlimit memlock 67108864 67108864
oneshot