Date: Mon, 17 Nov 2003 12:01:22 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-stable@freebsd.org Subject: Re: memory locking in a jail? Message-ID: <Pine.NEB.3.96L.1031117115837.66398A-100000@fledge.watson.org> In-Reply-To: <20031115211530.J34088@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Nov 2003, Marc G. Fournier wrote: > With gpg setuid root, I'm getting the following 'insecure memory' issue > when running inside of a jail: > > gpg: WARNING: using insecure memory! > > from the FAQ, it has to do with memory locking ... is this something > that can't be done inside of a jail? Or just an issue with jail in 4.x? FreeBSD requires privilege to lock pages in memory; right now, that privilege check does not allow mlock() to be used in a jail. You can modify that privilege check locally to permit privileged users in jail() to use mlock() by editing vm_mmap.c to pass the PRISON_ROOT flag into suser_cred() or suser_xxx(), depending on whether you're using -CURRENT or -STABLE. There's #ifdef'd out code that permits locking of memory for unprivileged processes based on a resource limit, but I'm not sufficiently familiar with the history of that to comment on which it's commented out. Locked memory is a very precious resource, though, so any reduction of the privilege level necessary to lock memory needs to be thought through very carefully, and in the context of any past history of the issue. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1031117115837.66398A-100000>