From owner-freebsd-current@freebsd.org Thu Feb 2 21:28:32 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8F07CCE5AD for ; Thu, 2 Feb 2017 21:28:32 +0000 (UTC) (envelope-from brunolauze@msn.com) Received: from BAY004-OMC2S22.hotmail.com (bay004-omc2s22.hotmail.com [65.54.190.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A39581DAB for ; Thu, 2 Feb 2017 21:28:32 +0000 (UTC) (envelope-from brunolauze@msn.com) Received: from NAM01-BN3-obe.outbound.protection.outlook.com ([65.54.190.123]) by BAY004-OMC2S22.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 2 Feb 2017 13:28:26 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=msn.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xytWk5HZh7kK33jOfGd38PNZH5OxMYk5VhrQSTUK15M=; b=MDYtbathyGr3EaYD2u/lmHAZqLVfvY0R+ioGM+aPU3T7ljznbau1UqSGovRPsdlgIuoECrbmE16lnxprikKobnmKW3iDQ8zNRvER2wAYzISOvbsSeJDaLDnP0n23Xj5u9T0hCvZtoE4xuwcia2vcMhHqTfqXEv9HJM64nW03wbNpzL3N4t9tSozqIbYtOPH9ioCT2CSM02Ta+gvU/AIlq44lb1gJEszPGQCJRCKL1JV1zHyw+Qt4f/hOK4KABYtXphNIslMvwtBXbIMnSQUOdmdh1sHz9r1MIJ6Mxm6v7wpRBIWAdmakycP7gGq34dew7ZctsAHUG9XdOFLwZrnH0w== Received: from BN3NAM01FT056.eop-nam01.prod.protection.outlook.com (10.152.66.59) by BN3NAM01HT053.eop-nam01.prod.protection.outlook.com (10.152.66.226) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.874.2; Thu, 2 Feb 2017 21:28:25 +0000 Received: from SN1PR16MB0640.namprd16.prod.outlook.com (10.152.66.59) by BN3NAM01FT056.mail.protection.outlook.com (10.152.67.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.874.2 via Frontend Transport; Thu, 2 Feb 2017 21:28:25 +0000 Received: from SN1PR16MB0640.namprd16.prod.outlook.com ([10.165.28.138]) by SN1PR16MB0640.namprd16.prod.outlook.com ([10.165.28.138]) with mapi id 15.01.0845.028; Thu, 2 Feb 2017 21:28:25 +0000 From: =?iso-8859-1?Q?Bruno_Lauz=E9?= To: freebsd-current Subject: RE: mlock and jail Thread-Topic: mlock and jail Thread-Index: AQHSfOM6KDHfJeZzq062UKsd7j9HtKFU7meAgADxFwCAACbWAIAANnWC Date: Thu, 2 Feb 2017 21:28:25 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=msn.com; x-incomingtopheadermarker: OriginalChecksum:49A902C9A0DE1DE3574C67C39B7DEA7CBB03ADCAD0B5B8463A996C7804529A5A; UpperCasedChecksum:1FC0093EA8D0A367ACFA059DA43B538776EF317E02CDFAC1A8D73AC550D85E4C; SizeAsReceived:7988; Count:39 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [ZGEf3cP8r03iVeeD37Fap8hUypJ407Khz/fhYmVoQBs=] x-incomingheadercount: 39 x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; BN3NAM01HT053; 5:sMHM8Shr6HSUMmiN8XMiuyjfiwtgIYFMQ1URZnPP5ZYOpcVspAeBkPo7ZlSNwM20rm3YSHNOG4Nhx2U7cQ3JPtFYZ1DNWVc23kctxddEIofLEOqbl65uBjoZF5BkhZHCkR/iiP7/Zgb66/moOM8OmQ==; 24:LAM5FzqP1h7jPJDAD130Vfa9L5c0R0YMnqn+EZdSauidpSGhgoWJKz7z2W+NA/5DFZhYIFNYbmnDCG6oNf+W7JWfP6I/tV/XdDtXlzZBXSY=; 7:Zi1tk05fvjNJZ7OxjIQ0QM79+sKI4eUQ4ULkPAJqH5F5mdawQRs+vnsfOYrMHyag34uFUoIF3Dp9C7PCsuu39IH1IP5XHYS+Z3E9vQD1UtDaKUDnS0mZSvChKZ+kpoyncP2vT2ODkpkF5qN3corQhmQlDp+h851TZssaZJGiF0HR1t0QGzN4bRwom2Fu1HBZ3mBMez6rTKghlgiWLRjiM4ZHzBqRfxqBuxpI+jhJl5ngVyEcfQ+Kl5Or4FjZI73Z1C9h12wwCiZLfFZkVYgEXnnBZJwcK5bVTbutba8cvBOW2EPrkofTwmUOtXrQ/XR4d/PzG8PWJvHld6XvYCHcvBZ8ESg1KH3oa/sIwKO4gv0IYNfH6znE+iu67Tmyp1O1P1m1g4jcnTZKYMPWqTNJ2gSZ4b3fMRtJvGF78zY+pBvigI76gqV9r5lFjipdp285JDTJifOqY19xYIif4glFh/Y592ZfpCAONps9de/ybhvMhDB5p9ab5WK61hu2R+DFiHQGE3UJC+qSO8N5an+twA== x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900005); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3NAM01HT053; H:SN1PR16MB0640.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: 856fa8aa-e78f-4276-dee9-08d44bb26bd3 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(1601124038)(5061506425)(5061507331)(1603103135)(1603101367)(1601125101)(1701031045); SRVR:BN3NAM01HT053; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444111334)(432015058)(82015046); SRVR:BN3NAM01HT053; BCL:0; PCL:0; RULEID:; SRVR:BN3NAM01HT053; x-forefront-prvs: 02065A9E77 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2017 21:28:25.0610 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3NAM01HT053 X-OriginalArrivalTime: 02 Feb 2017 21:28:26.0821 (UTC) FILETIME=[4A5D7F50:01D27D9B] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 21:28:32 -0000 But a simple user with no rights can mlock (64kb by default) why a jail wou= ld not be able? From: Xin LI Sent: Thursday, February 2, 2017 1:13 PM To: Pavel Timofeev Cc: Bruno Lauz=E9; freebsd-current Subject: Re: mlock and jail On Thu, Feb 2, 2017 at 7:54 AM, Pavel Timofeev wrote: > 2017-02-02 4:31 GMT+03:00 Xin LI : >> I like this idea. >> >> Note that potentially your patch would make it possible for a jailed >> root to DoS the whole system by locking too much of pages in memory. >> I think it would be sensible to provide a per-jail flag to enable >> doing it, or better, have some finer grained control (e.g. per jail >> quota of permitted locked pages). >> >> Why did the application want to lock pages in main memory, though? > > For example, this secret management tool > https://www.vaultproject.io/docs/config/ wants to lock memory for > security (surprise) reason. > It's available as security/vault in our ports tree. No it's not surprise but overkill IMHO. Here is why: Locking memory does prevent swapping, but in a typical multi-user system, if an attacker is already able to read swap (keep in mind that disks are by default owned by root and can not be read in a typical setup), then the administrator already have much bigger problem to worry about, and the attacker would have much more powerful tools to steal the secrets. Additionally, if one really cares about safety of swap, they should have used encrypted swap in the first place. On FreeBSD, appending '.eli' to the swap device in fstab (e.g. /dev/ada0p3 -> /dev/ada0p3.eli) would automatically do one-time keyed swapping. Moreover, I don't think it's a good idea to use an application that advocates locking all memory that it owns for "security" reasons: if the application writer does not know which memory pages would contain sensitive information, good chances that the application writer have no idea what is privilege separation and the design they have created could be fundamentally flawed. Cheers,