Date: Fri, 21 Jul 2006 20:40:44 +1000 From: Peter Jeremy <peterjeremy@optushome.com.au> To: freebsd-arch@freebsd.org Subject: mlock(2) for ordinary users Message-ID: <20060721104044.GB728@turion.vk2pj.dyndns.org>
index | next in thread | raw e-mail
[-- Attachment #1 --] Currently mlock() and munlock() are restricted to the root user - which prevents an ordinary user locking their process into RAM to the detriment of the system as a whole. Whilst this is a valid concern, there are good security reasons for allowing a user to lock small amounts of memory (a few pages) to ensure that sensitive information (private keys, passwords etc) don't wind up on swap devices. There is a resource limit for locked pages (RLIMIT_MEMLOCK) and, despite the man page, a quick look at the code implies that it really is honoured. Could someone with more VM-foo please confirm whether the last line of the man page is still correct. I would like to suggest that the suser() tests in mlock() and munlock() be removed and the default RLIMIT_MEMLOCK is reduced from infinity to (say) 1. The only gotcha I can see is that lots of sysctl() functions use RLIMIT_MEMLOCK via sysctl_wire_old_buffer() and vslock(). Comments please. -- Peter Jeremy [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEwK8q/opHv/APuIcRAhCGAJ4+CkNN8K/bJDda3BlCLFh3gCsxcwCeNeqr a8S48ah08wOV/5k37N9o+yo= =Xaxb -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060721104044.GB728>