Set /proc/sys/net/core/bpf_jit_{enable,kallsyms} to 1
bpf_jit_enable = 1 is mostly a no-op since on most future
devices it will be force enabled by BPF_JIT_ALWAYS_ON
It is required for Pixel 3 & co Linux 4.9 based devices, which
can only do JIT for some ebpf programs (and thus can't enable
BPF_JIT_ALWAYS_ON without some netd programs refusing to load)
We also set bpf_jit_kallsyms = 1 because it makes debugging
failures easier, but it is incompatible with bpf_jit_harden != 0.
We don't bother setting bpf_jit_harden because we both want
bpf_jit_kallsyms to work, and because the only entity allowed
to load ebpf programs is the bpfloader and it only loads trusted
(verified file system signed) prebuilt bpf programs.
Test: built and booted, verified settings
Bug: 140377409
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
diff --git a/bpfloader/bpfloader.rc b/bpfloader/bpfloader.rc
index 4404c17..e8da02d 100644
--- a/bpfloader/bpfloader.rc
+++ b/bpfloader/bpfloader.rc
@@ -31,3 +31,11 @@
#
rlimit memlock 1073741824 1073741824
oneshot
+
+# Need to make sure this runs *before* the bpfloader.
+on early-init
+ # Enable the eBPF JIT -- but do note that it is likely already force enabled
+ # by the kernel config option BPF_JIT_ALWAYS_ON
+ write /proc/sys/net/core/bpf_jit_enable 1
+ # Enable JIT kallsyms export for privileged users only
+ write /proc/sys/net/core/bpf_jit_kallsyms 1