| Maciej Żenczykowski | 6bd207e | 2020-06-19 18:12:25 -0700 | [diff] [blame] | 1 | # zygote-start is what officially starts netd (see //system/core/rootdir/init.rc) |
| 2 | # However, on some hardware it's started from post-fs-data as well, which is just |
| 3 | # a tad earlier. There's no benefit to that though, since on 4.9+ P+ devices netd |
| 4 | # will just block until bpfloader finishes and sets the bpf.progs_loaded property. |
| 5 | # |
| 6 | # It is important that we start bpfloader after: |
| 7 | # - /sys/fs/bpf is already mounted, |
| 8 | # - apex (incl. rollback) is initialized (so that in the future we can load bpf |
| 9 | # programs shipped as part of apex mainline modules) |
| Maciej Żenczykowski | 6bd207e | 2020-06-19 18:12:25 -0700 | [diff] [blame] | 10 | # - logd is ready for us to log stuff |
| 11 | # |
| 12 | # At the same time we want to be as early as possible to reduce races and thus |
| 13 | # failures (before memory is fragmented, and cpu is busy running tons of other |
| 14 | # stuff) and we absolutely want to be before netd and the system boot slot is |
| 15 | # considered to have booted successfully. |
| 16 | # |
| 17 | on load_bpf_programs |
| Maciej Żenczykowski | fa03239 | 2021-11-10 17:06:14 -0800 | [diff] [blame] | 18 | # Linux 5.16-rc1 has changed the default to 2 (disabled but changeable), |
| 19 | # but we need 0 |
| 20 | write /proc/sys/kernel/unprivileged_bpf_disabled 0 |
| Maciej Żenczykowski | 6bd207e | 2020-06-19 18:12:25 -0700 | [diff] [blame] | 21 | # Enable the eBPF JIT -- but do note that on 64-bit kernels it is likely |
| 22 | # already force enabled by the kernel config option BPF_JIT_ALWAYS_ON |
| 23 | write /proc/sys/net/core/bpf_jit_enable 1 |
| 24 | # Enable JIT kallsyms export for privileged users only |
| 25 | write /proc/sys/net/core/bpf_jit_kallsyms 1 |
| Maciej Żenczykowski | 2a775a4 | 2020-06-23 21:06:38 -0700 | [diff] [blame] | 26 | exec_start bpfloader |
| Maciej Żenczykowski | 6bd207e | 2020-06-19 18:12:25 -0700 | [diff] [blame] | 27 | |
| Joel Fernandes | 6e1341e | 2018-11-29 11:36:13 -0800 | [diff] [blame] | 28 | service bpfloader /system/bin/bpfloader |
| Maciej Żenczykowski | 265d131 | 2021-03-01 23:09:27 -0800 | [diff] [blame] | 29 | capabilities CHOWN SYS_ADMIN NET_ADMIN |
| Maciej Żenczykowski | e1deaec | 2020-01-27 22:27:02 -0800 | [diff] [blame] | 30 | # |
| 31 | # Set RLIMIT_MEMLOCK to 1GiB for bpfloader |
| 32 | # |
| 33 | # Actually only 8MiB would be needed if bpfloader ran as its own uid. |
| 34 | # |
| 35 | # However, while the rlimit is per-thread, the accounting is system wide. |
| 36 | # So, for example, if the graphics stack has already allocated 10MiB of |
| 37 | # memlock data before bpfloader even gets a chance to run, it would fail |
| 38 | # if its memlock rlimit is only 8MiB - since there would be none left for it. |
| 39 | # |
| 40 | # bpfloader succeeding is critical to system health, since a failure will |
| 41 | # cause netd crashloop and thus system server crashloop... and the only |
| 42 | # recovery is a full kernel reboot. |
| 43 | # |
| 44 | # We've had issues where devices would sometimes (rarely) boot into |
| 45 | # a crashloop because bpfloader would occasionally lose a boot time |
| 46 | # race against the graphics stack's boot time locked memory allocation. |
| 47 | # |
| 48 | # Thus bpfloader's memlock has to be 8MB higher then the locked memory |
| 49 | # consumption of the root uid anywhere else in the system... |
| 50 | # But we don't know what that is for all possible devices... |
| 51 | # |
| 52 | # Ideally, we'd simply grant bpfloader the IPC_LOCK capability and it |
| 53 | # would simply ignore it's memlock rlimit... but it turns that this |
| 54 | # capability is not even checked by the kernel's bpf system call. |
| 55 | # |
| 56 | # As such we simply use 1GiB as a reasonable approximation of infinity. |
| 57 | # |
| 58 | rlimit memlock 1073741824 1073741824 |
| Joel Fernandes | 6e1341e | 2018-11-29 11:36:13 -0800 | [diff] [blame] | 59 | oneshot |
| Maciej Żenczykowski | e49e0c6 | 2021-11-18 12:23:02 -0800 | [diff] [blame^] | 60 | # |
| 61 | # How to debug bootloops caused by 'bpfloader-failed'. |
| 62 | # |
| 63 | # 1. On some lower RAM devices (like wembley) you may need to first enable developer mode |
| 64 | # (from the Settings app UI), and change the developer option "Logger buffer sizes" |
| 65 | # from the default (wembley: 64kB) to the maximum (1M) per log buffer. |
| 66 | # Otherwise buffer will overflow before you manage to dump it and you'll get useless logs. |
| 67 | # |
| 68 | # 2. comment out 'reboot_on_failure reboot,bpfloader-failed' below |
| 69 | # 3. rebuild/reflash/reboot |
| 70 | # 4. as the device is booting up capture bpfloader logs via: |
| 71 | # adb logcat -s 'bpfloader:*' 'LibBpfLoader:*' |
| 72 | # |
| 73 | # something like: |
| 74 | # $ adb reboot; sleep 1; adb wait-for-device; adb root; sleep 1; adb wait-for-device; adb logcat -s 'bpfloader:*' 'LibBpfLoader:*' |
| 75 | # will take care of capturing logs as early as possible |
| 76 | # |
| 77 | # 5. look through the logs from the kernel's bpf verifier that bpfloader dumps out, |
| 78 | # it usually makes sense to search back from the end and find the particular |
| 79 | # bpf verifier failure that caused bpfloader to terminate early with an error code. |
| 80 | # This will probably be something along the lines of 'too many jumps' or |
| 81 | # 'cannot prove return value is 0 or 1' or 'unsupported / unknown operation / helper', |
| 82 | # 'invalid bpf_context access', etc. |
| 83 | # |
| Maciej Żenczykowski | 6bd207e | 2020-06-19 18:12:25 -0700 | [diff] [blame] | 84 | reboot_on_failure reboot,bpfloader-failed |
| 85 | # we're not really updatable, but want to be able to load bpf programs shipped in apexes |
| 86 | updatable |