Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_bpf / bbf5ee3971c0b6610d96c3a75dd48b3aa5bdc899 / . / bpfloader / bpfloader.rc
blob: 1d6248e51c241dbf040c440ac31ac8d6972023de [file] [log] [blame]
Maciej Żenczykowski6bd207e2020-06-19 18:12:25 -0700[diff] [blame]1# zygote-start is what officially starts netd (see //system/core/rootdir/init.rc)
2# However, on some hardware it's started from post-fs-data as well, which is just
3# a tad earlier. There's no benefit to that though, since on 4.9+ P+ devices netd
4# will just block until bpfloader finishes and sets the bpf.progs_loaded property.
5#
6# It is important that we start bpfloader after:
7# - /sys/fs/bpf is already mounted,
8# - apex (incl. rollback) is initialized (so that in the future we can load bpf
9# programs shipped as part of apex mainline modules)
Maciej Żenczykowski6bd207e2020-06-19 18:12:25 -0700[diff] [blame]10# - logd is ready for us to log stuff
11#
12# At the same time we want to be as early as possible to reduce races and thus
13# failures (before memory is fragmented, and cpu is busy running tons of other
14# stuff) and we absolutely want to be before netd and the system boot slot is
15# considered to have booted successfully.
16#
17on load_bpf_programs
Maciej Żenczykowskifa032392021-11-10 17:06:14 -0800[diff] [blame]18 # Linux 5.16-rc1 has changed the default to 2 (disabled but changeable),
19 # but we need 0
20 write /proc/sys/kernel/unprivileged_bpf_disabled 0
Maciej Żenczykowski6bd207e2020-06-19 18:12:25 -0700[diff] [blame]21 # Enable the eBPF JIT -- but do note that on 64-bit kernels it is likely
22 # already force enabled by the kernel config option BPF_JIT_ALWAYS_ON
23 write /proc/sys/net/core/bpf_jit_enable 1
24 # Enable JIT kallsyms export for privileged users only
25 write /proc/sys/net/core/bpf_jit_kallsyms 1
Maciej Żenczykowski2a775a42020-06-23 21:06:38 -0700[diff] [blame]26 exec_start bpfloader
Maciej Żenczykowski6bd207e2020-06-19 18:12:25 -0700[diff] [blame]27
Joel Fernandes6e1341e2018-11-29 11:36:13 -0800[diff] [blame]28service bpfloader /system/bin/bpfloader
Maciej Żenczykowski265d1312021-03-01 23:09:27 -0800[diff] [blame]29 capabilities CHOWN SYS_ADMIN NET_ADMIN
Maciej Żenczykowskibbf5ee32022-07-02 01:28:46 -0700[diff] [blame^]30 # The following group memberships are a workaround for lack of DAC_OVERRIDE
31 # and allow us to open (among other things) files that we created and are
32 # no longer root owned (due to CHOWN) but still have group read access to
33 # one of the following groups. This is not perfect, but a more correct
34 # solution requires significantly more effort to implement.
35 group root graphics network_stack net_admin net_bw_acct net_bw_stats net_raw system
Maciej Żenczykowskie1deaec2020-01-27 22:27:02 -0800[diff] [blame]36 #
37 # Set RLIMIT_MEMLOCK to 1GiB for bpfloader
38 #
39 # Actually only 8MiB would be needed if bpfloader ran as its own uid.
40 #
41 # However, while the rlimit is per-thread, the accounting is system wide.
42 # So, for example, if the graphics stack has already allocated 10MiB of
43 # memlock data before bpfloader even gets a chance to run, it would fail
44 # if its memlock rlimit is only 8MiB - since there would be none left for it.
45 #
46 # bpfloader succeeding is critical to system health, since a failure will
47 # cause netd crashloop and thus system server crashloop... and the only
48 # recovery is a full kernel reboot.
49 #
50 # We've had issues where devices would sometimes (rarely) boot into
51 # a crashloop because bpfloader would occasionally lose a boot time
52 # race against the graphics stack's boot time locked memory allocation.
53 #
54 # Thus bpfloader's memlock has to be 8MB higher then the locked memory
55 # consumption of the root uid anywhere else in the system...
56 # But we don't know what that is for all possible devices...
57 #
58 # Ideally, we'd simply grant bpfloader the IPC_LOCK capability and it
59 # would simply ignore it's memlock rlimit... but it turns that this
60 # capability is not even checked by the kernel's bpf system call.
61 #
62 # As such we simply use 1GiB as a reasonable approximation of infinity.
63 #
64 rlimit memlock 1073741824 1073741824
Joel Fernandes6e1341e2018-11-29 11:36:13 -0800[diff] [blame]65 oneshot
Maciej Żenczykowskie49e0c62021-11-18 12:23:02 -0800[diff] [blame]66 #
67 # How to debug bootloops caused by 'bpfloader-failed'.
68 #
69 # 1. On some lower RAM devices (like wembley) you may need to first enable developer mode
70 # (from the Settings app UI), and change the developer option "Logger buffer sizes"
71 # from the default (wembley: 64kB) to the maximum (1M) per log buffer.
72 # Otherwise buffer will overflow before you manage to dump it and you'll get useless logs.
73 #
74 # 2. comment out 'reboot_on_failure reboot,bpfloader-failed' below
75 # 3. rebuild/reflash/reboot
76 # 4. as the device is booting up capture bpfloader logs via:
77 # adb logcat -s 'bpfloader:*' 'LibBpfLoader:*'
78 #
79 # something like:
80 # $ adb reboot; sleep 1; adb wait-for-device; adb root; sleep 1; adb wait-for-device; adb logcat -s 'bpfloader:*' 'LibBpfLoader:*'
81 # will take care of capturing logs as early as possible
82 #
83 # 5. look through the logs from the kernel's bpf verifier that bpfloader dumps out,
84 # it usually makes sense to search back from the end and find the particular
85 # bpf verifier failure that caused bpfloader to terminate early with an error code.
86 # This will probably be something along the lines of 'too many jumps' or
87 # 'cannot prove return value is 0 or 1' or 'unsupported / unknown operation / helper',
88 # 'invalid bpf_context access', etc.
89 #
Maciej Żenczykowski6bd207e2020-06-19 18:12:25 -0700[diff] [blame]90 reboot_on_failure reboot,bpfloader-failed
91 # we're not really updatable, but want to be able to load bpf programs shipped in apexes
92 updatable