From owner-freebsd-arch@FreeBSD.ORG Sun Sep 16 17:53:46 2012 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E2B83106566C for ; Sun, 16 Sep 2012 17:53:46 +0000 (UTC) (envelope-from andrey@zonov.org) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 542B18FC0A for ; Sun, 16 Sep 2012 17:53:45 +0000 (UTC) Received: by lbbgg13 with SMTP id gg13so4579462lbb.13 for ; Sun, 16 Sep 2012 10:53:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :x-gm-message-state; bh=cFqBiKFQkvYbWgkomeyPlkcrkAPyPUhPduMkflidtLI=; b=JNsRjkFQixhQGucX8IjDWJB4EbFZq0nHC6RtCiZVak+9CVSyFXhKTbOZeczju3pd60 fSver56h2shYAGohbyxxwlBQMcNXLr6xKOL93GsfNLK2Dt5YysssCFP+7AHFun/YWKDP VShsjiE5ypoZdxu6W7OUWDZZGv3iiTlj9gF9B/dMhHvnArT8hUhAXOvuIsgZ68gdI1bK GTRYxRi9A5ACcWdSdvNrxHr0n36pOXWiP5/awfsRAEaTUIVAe/jgG8I8TbKz1vCvyE5B +J/2V/naZID77okDL3OBcy+RPdk+N7hxvEV3zaECl+5XHFXqxw45DICqpRLbD4BvWdx5 RknQ== Received: by 10.112.30.8 with SMTP id o8mr3139870lbh.132.1347818024930; Sun, 16 Sep 2012 10:53:44 -0700 (PDT) Received: from zont-osx.local (ppp95-165-139-113.pppoe.spdop.ru. [95.165.139.113]) by mx.google.com with ESMTPS id ba4sm2015719lbb.14.2012.09.16.10.53.43 (version=SSLv3 cipher=OTHER); Sun, 16 Sep 2012 10:53:44 -0700 (PDT) Sender: Andrey Zonov Message-ID: <50561223.7060709@FreeBSD.org> Date: Sun, 16 Sep 2012 21:53:39 +0400 From: Andrey Zonov User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Andriy Gapon References: <503DD433.2030108@FreeBSD.org> <201208290906.q7T96C9j032802@gw.catspoiler.org> <20120829092318.GW33100@deviant.kiev.zoral.com.ua> <503F2D24.8050103@FreeBSD.org> <50463026.8000506@FreeBSD.org> <504653CD.2000707@FreeBSD.org> <5046F4E0.6000606@FreeBSD.org> In-Reply-To: <5046F4E0.6000606@FreeBSD.org> X-Enigmail-Version: 1.4.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigEE218ED8847BBCE1EBCDBCD9" X-Gm-Message-State: ALoCoQkfPTxuzbDVyNum5W6DTcc7Fn0zmh3SsyrQAC5KP/EC/L31vf9NGA2eQu48DeTMnlZ4Df/3 Cc: freebsd-arch@FreeBSD.org Subject: Re: [patch] unprivileged mlock(2) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 17:53:47 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEE218ED8847BBCE1EBCDBCD9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 9/5/12 10:44 AM, Andriy Gapon wrote: > on 04/09/2012 22:17 Andrey Zonov said the following: >> On 9/4/12 8:45 PM, Andriy Gapon wrote: >>> on 30/08/2012 12:06 Andrey Zonov said the following: >>>> Hi, >>>> >>>> So, I've got the first version of the patch (attached) which fixes=20 >>>> memory locked limit checking and accounting. >>> >>> Andrey, >>> >>> your mlock.patch looks good to me, but I haven't verified pieces unde= r >>> RACCT. Please try to get a review from a person who is knee-deep in t= he >>> VM code like alc or your mentor. >>> >> >> Thanks for review! >> >>> The code should also be sent for vetoing to security@. Not sure if y= ou >>> would get a review there, but absence of nays would be good. >>> >>> When the code is ready to be committed, please remember about=20 >>> memorylocked=3Dunlimited in the default entry of the default login.co= nf. A >>> big warning about it will have to be posted (in UPDATING and >>> current@/stable@ at the very least). >>> >> >> After that amd(8), geli(8) and watchdogd(8) will be broken, because th= ey=20 >> call mlockall(2). ntpd(8) won't, it already raises its RLIMIT_MEMLOCK= =2E I >> will prepare patches for raising limits if there is no other solution.= >=20 > Thanks for working on this. > BTW, I am not sure why those applications would get broken... > We could/should still have memorylocked=3Dunlimited for the 'root' clas= s. > Or is it about something else? >=20 Hmm, I thought that root login class commented out. >>> Thank you very much for doing this work. >>> >>> P.S. It would probably make sense to provide some HTTP home for this= >>> patch as well. >>> >> >> Updated patch is here [1]. >> >> [1] http://people.freebsd.org/~zont/mlock1.patch >> >=20 > Thank you! > One additional thing - we probably should retire PRIV_VM_MLOCK and > PRIV_VM_MUNLOCK. That would include making changes to > sys/i386/ibcs2/ibcs2_misc.c and sys/ofed/drivers/infiniband/core/umem.c= =2E >=20 They are useful for jails as trasz@ mentioned on IRC. > P.S. PRIV_VM_MUNLOCK _privilege_ feels a little bit weird. I wonder wh= at was > the intended use for it (if any)... >=20 So, here is the second version of the patch [1]. [1] http://people.freebsd.org/~zont/mlock2.patch --=20 Andrey Zonov --------------enigEE218ED8847BBCE1EBCDBCD9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQVhImAAoJEBWLemxX/CvTN0kH/RNV4ZLnUJLNAmiV/ckXP6DV qtkhHOrxIR13FDT73U+Ff47KckAL9JbI4xZ7jBAin7A2Km/X56IKkvUuCCaloL/r vJz62F77O/B+Hh+bPe3Ad6hfym6LKNxbYGLLqHr7f8aRJpGvpHQfZohyJNnviOcz qUD0VNvRbnppcPoNEJ4VUkpgOxV3DoJ9qNFQOSN47ruz+b1iIPnd8ZOl0lybVqVt 0x7MIhvtpl/3rI89PTc4RmqdA71GObFJ8Cmm+sewxARedK+EdP/MwcmzOnCQmrfI FyG4JTlBsYPdq97cklIpEJ09yzkAaayBa8rqC/nuoNs1ANKE+eZ7h8gm3/PKazM= =wjMX -----END PGP SIGNATURE----- --------------enigEE218ED8847BBCE1EBCDBCD9--