Set /proc/sys/net/core/bpf_jit_{enable,kallsyms} to 1
bpf_jit_enable = 1 is mostly a no-op since on most future
devices it will be force enabled by BPF_JIT_ALWAYS_ON
It is required for Pixel 3 & co Linux 4.9 based devices, which
can only do JIT for some ebpf programs (and thus can't enable
BPF_JIT_ALWAYS_ON without some netd programs refusing to load)
We also set bpf_jit_kallsyms = 1 because it makes debugging
failures easier, but it is incompatible with bpf_jit_harden != 0.
We don't bother setting bpf_jit_harden because we both want
bpf_jit_kallsyms to work, and because the only entity allowed
to load ebpf programs is the bpfloader and it only loads trusted
(verified file system signed) prebuilt bpf programs.
Test: built and booted, verified settings
Bug: 140377409
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9b401ee7b01a2042da87ff48d548b11e0cf78efa
1 file changed