Date: Sun, 23 Jul 2006 09:55:28 +1000 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Robert Watson <rwatson@freebsd.org>, Kostik Belousov <kostikbel@gmail.com> Cc: freebsd-arch@freebsd.org Subject: Re: mlock(2) for ordinary users Message-ID: <20060722235528.GI728@turion.vk2pj.dyndns.org> In-Reply-To: <20060722151631.GB1217@deviant.kiev.zoral.com.ua> References: <20060721104044.GB728@turion.vk2pj.dyndns.org> <20060722154606.N54846@fledge.watson.org> <20060722151631.GB1217@deviant.kiev.zoral.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--XigHxYirkHk2Kxsx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, 2006-Jul-22 18:16:31 +0300, Kostik Belousov wrote: >On Sat, Jul 22, 2006 at 03:52:37PM +0100, Robert Watson wrote: >> particular, I have to wonder if it works at all. The whole idea of=20 >> resources limits is that you bill new use to a credential, and credit=20 >> reduced use to a similar credential. Currently, most RLIMIT_xxx parameters are per-process (the exceptions are RLIMIT_NPROC and RLIMIT_SBSIZE - which are per-user). >> Probably, we're interested only in=20 >> memory pinned at the request of the process, not memory pinned by the=20 >> kernel on its behalf. Should memory wired via sysctl_wire_old_buffer() count as "at the request of the process" or "by the kernel on its behalf"? Currently, it's treated as the former. The following takes "credential" as "process" since that's how wired memory is currently billed. >> - When pages become locked on behalf of a credential, is it correctly bi= lled >> to the credential? >> >> - When pages become unlocked (or are released), are any credentials that= =20 >> have requested it be locked credited? I believe these are true. This is the area where I'd appreciate assistance. >> - What happens when the credential on a process changes between when mem= ory >> is locked and unlocked? I don't think this is possible because the credential is a process. >> - What happens if more than one credential requests the same page of mem= ory=20 >> be locked and unlocked? This is another area that would need further examination. >> - Is locked memory properly credited back to the credential on process e= xit >> and other non-explicit unmapping points? Process exit is not relevant. I'm not sure about implicit unwiring. >As far as I remember, RLIMIT_MEMLOCK is per-process instead of per-cred. It is. >As consequence, allowing mlock() for non-root users actually allow such >user to allocate value-of(RLIMIT_MEMLOCK) * value-of(RLIMIT_NPROC). This is no different to the other per-process resource limits. On a stock FreeBSD system, I can reach the system-wide FD limit with two user processes. I can't see that having several processes each locking RLIMIT_MEMLOCK pages provides any real benefit to the user so this is really just another DoS vector. >In fact, I had to make the answers to the asked questions when I >implemented the per-user swap limits. I didn't realise this existed. How do you control per-user swap? I can't find any reference to this in either login.conf or setrlimit(2). --=20 Peter Jeremy --XigHxYirkHk2Kxsx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEwrrw/opHv/APuIcRAoswAJ9DxXZAIaXOwxd51Lq6i/KSN09U2wCgrSzn 4Z1IN7+6VwjDEFfzWNrocA0= =x7v6 -----END PGP SIGNATURE----- --XigHxYirkHk2Kxsx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060722235528.GI728>