Date: Sat, 12 Apr 2008 16:41:05 -0400 From: Coleman Kane <cokane@FreeBSD.org> To: David Schultz <das@FreeBSD.ORG> Cc: mezz7@cox.net, Joe Marcus Clarke <marcus@FreeBSD.ORG>, imp@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: mlock(2), unprivileged users, and RLIMIT_MEMLOCK Message-ID: <1208032865.1424.9.camel@localhost> In-Reply-To: <20080412195505.GA36208@zim.MIT.EDU> References: <1208027381.1327.31.camel@localhost> <1208028217.82222.32.camel@shumai.marcuscom.com> <20080412195505.GA36208@zim.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-BAw17Tz5ry9Tg5u3O+Qa
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sat, 2008-04-12 at 15:55 -0400, David Schultz wrote:
> On Sat, Apr 12, 2008, Joe Marcus Clarke wrote:
> > On Sat, 2008-04-12 at 15:09 -0400, Coleman Kane wrote:
> > > Hello,
> > >=20
> > > Recently we've been having a discussion on the GNOME list about fixin=
g
> > > the seahorse breakage introduced with the latest GNOME 2.22, rooted i=
n
> > > the fact that FreeBSD's mlock(2) implementation is only usable if you
> > > have superuser privileges. Due to bugs in seahorse, the lack of mlock=
(2)
> > > causes many seahorse applications to die. I've posted a suggested pat=
ch
> > > to=20
> [...]
> > > As a third idea, we could leave the per-process limit (to abide by
> > > historical documentation), but also add a sysctl that enforces a
> > > system-wide "max mlock pages" which can be tested by the mlock(2)
> > > syscall, refusing to mlock(2) more memory if the limit is hit.
> >=20
> > I think this already exists in -CURRENT: vm.max_wired ("System-wide
> > limit to wired page count"). This is tested by mlock(2) in addition to
> > RLIMIT_MEMLOCK.
>=20
> First of all, many other operating systems such as Solaris also
> restrict mlock(2) to the superuser, so this is a bug in seahorse.
>=20
> That said, it seems like allowing ordinary users to mlock(2) small
> amounts of memory (e.g., vm_page_max_wired / 4 across all
> non-superuser processes by default) would fix your problem and be
> easy to implement. Of course, per-user or per-process limits
> would be more flexible, but how many people really have lots of
> users who are trying to abuse the system?
>=20
I did some math and came up with the following per-user limit on my
system. Using the default install, my maxproc is set to 5547:
max_secure_mem =3D max_proc * memorylocked =3D 5547 * 16384 =3D 90882048=
=3D
about 87MB
So, under my operating conditions (2GB System RAM), a user's maximum DoS
attempt would be capped at 87MB... which doesn't seem as serious
anymore. This is using the 16K memorylocked value that gnome-keyring &
friends seem to work fine with.
--
Coleman Kane
--=-BAw17Tz5ry9Tg5u3O+Qa
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
iEYEABECAAYFAkgBHlwACgkQcMSxQcXat5e6+gCeMpgeag0LznFwbRtUxA8UPYvJ
06QAn28SrMypfYIhhraZEQewN3C/gGF1
=xNh1
-----END PGP SIGNATURE-----
--=-BAw17Tz5ry9Tg5u3O+Qa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1208032865.1424.9.camel>