blob: 836ec6303b6e505799abcf7e80539417777fdbe0 [file] [log] [blame]
Joel Fernandes6e1341e2018-11-29 11:36:13 -08001service bpfloader /system/bin/bpfloader
2 class main
Maciej Żenczykowski669f7382020-02-13 13:08:30 -08003 capabilities CHOWN SYS_ADMIN
Maciej Żenczykowskie1deaec2020-01-27 22:27:02 -08004 #
5 # Set RLIMIT_MEMLOCK to 1GiB for bpfloader
6 #
7 # Actually only 8MiB would be needed if bpfloader ran as its own uid.
8 #
9 # However, while the rlimit is per-thread, the accounting is system wide.
10 # So, for example, if the graphics stack has already allocated 10MiB of
11 # memlock data before bpfloader even gets a chance to run, it would fail
12 # if its memlock rlimit is only 8MiB - since there would be none left for it.
13 #
14 # bpfloader succeeding is critical to system health, since a failure will
15 # cause netd crashloop and thus system server crashloop... and the only
16 # recovery is a full kernel reboot.
17 #
18 # We've had issues where devices would sometimes (rarely) boot into
19 # a crashloop because bpfloader would occasionally lose a boot time
20 # race against the graphics stack's boot time locked memory allocation.
21 #
22 # Thus bpfloader's memlock has to be 8MB higher then the locked memory
23 # consumption of the root uid anywhere else in the system...
24 # But we don't know what that is for all possible devices...
25 #
26 # Ideally, we'd simply grant bpfloader the IPC_LOCK capability and it
27 # would simply ignore it's memlock rlimit... but it turns that this
28 # capability is not even checked by the kernel's bpf system call.
29 #
30 # As such we simply use 1GiB as a reasonable approximation of infinity.
31 #
32 rlimit memlock 1073741824 1073741824
Joel Fernandes6e1341e2018-11-29 11:36:13 -080033 oneshot
Maciej Żenczykowskia3911482020-01-29 20:27:16 -080034
35# Need to make sure this runs *before* the bpfloader.
36on early-init
37 # Enable the eBPF JIT -- but do note that it is likely already force enabled
38 # by the kernel config option BPF_JIT_ALWAYS_ON
39 write /proc/sys/net/core/bpf_jit_enable 1
40 # Enable JIT kallsyms export for privileged users only
41 write /proc/sys/net/core/bpf_jit_kallsyms 1