From owner-svn-src-all@freebsd.org Sun Jul 29 12:41:57 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B361210566B1; Sun, 29 Jul 2018 12:41:57 +0000 (UTC) (envelope-from antoine@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 69D6E8000D; Sun, 29 Jul 2018 12:41:57 +0000 (UTC) (envelope-from antoine@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4C6CE15F22; Sun, 29 Jul 2018 12:41:57 +0000 (UTC) (envelope-from antoine@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6TCfv3s033872; Sun, 29 Jul 2018 12:41:57 GMT (envelope-from antoine@FreeBSD.org) Received: (from antoine@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6TCfuvE033869; Sun, 29 Jul 2018 12:41:56 GMT (envelope-from antoine@FreeBSD.org) Message-Id: <201807291241.w6TCfuvE033869@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: antoine set sender to antoine@FreeBSD.org using -f From: Antoine Brodin Date: Sun, 29 Jul 2018 12:41:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336868 - in head: sys/kern sys/sys usr.sbin/jail X-SVN-Group: head X-SVN-Commit-Author: antoine X-SVN-Commit-Paths: in head: sys/kern sys/sys usr.sbin/jail X-SVN-Commit-Revision: 336868 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2018 12:41:57 -0000 Author: antoine Date: Sun Jul 29 12:41:56 2018 New Revision: 336868 URL: https://svnweb.freebsd.org/changeset/base/336868 Log: Add allow.mlock to jail parameters It allows locking or unlocking physical pages in memory within a jail This allows running elasticsearch with "bootstrap.memory_lock" inside a jail Reviewed by: jamie@ Differential Revision: https://reviews.freebsd.org/D16342 Modified: head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Sun Jul 29 08:43:08 2018 (r336867) +++ head/sys/kern/kern_jail.c Sun Jul 29 12:41:56 2018 (r336868) @@ -190,6 +190,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, + {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, {"allow.reserved_ports", "allow.noreserved_ports", PR_ALLOW_RESERVED_PORTS}, }; @@ -3293,6 +3294,17 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* + * Conditionnaly allow locking (unlocking) physical pages + * in memory. + */ + case PRIV_VM_MLOCK: + case PRIV_VM_MUNLOCK: + if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK) + return (0); + else + return (EPERM); + + /* * Conditionally allow jailed root to bind reserved ports. */ case PRIV_NETINET_RESERVEDPORT: @@ -3752,6 +3764,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLA "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may lock (unlock) physical pages in memory"); SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may bind sockets to reserved ports"); Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Sun Jul 29 08:43:08 2018 (r336867) +++ head/sys/sys/jail.h Sun Jul 29 12:41:56 2018 (r336868) @@ -227,9 +227,10 @@ struct prison_racct { #define PR_ALLOW_MOUNT 0x00000010 #define PR_ALLOW_QUOTAS 0x00000020 #define PR_ALLOW_SOCKET_AF 0x00000040 +#define PR_ALLOW_MLOCK 0x00000080 #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ -#define PR_ALLOW_ALL_STATIC 0x0001807f +#define PR_ALLOW_ALL_STATIC 0x000180ff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun Jul 29 08:43:08 2018 (r336867) +++ head/usr.sbin/jail/jail.8 Sun Jul 29 12:41:56 2018 (r336868) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 20, 2018 +.Dd July 29, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -553,6 +553,16 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.mlock +Locking or unlocking physical pages in memory are normally not available +within a jail. +When this parameter is set, users may +.Xr mlock 2 +or +.Xr munlock 2 +memory subject to +.Va security.bsd.unprivileged_mlock +and resource limits. .It Va allow.reserved_ports The jail root may bind to ports lower than 1024. .El