FreeBSD Mail Archives

Date:      Tue, 18 Dec 2012 07:36:45 +0000 (UTC)
From:      Andrey Zonov <zont@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r244385 - head/sys/kern
Message-ID:  <201212180736.qBI7aj4K086137@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: zont
Date: Tue Dec 18 07:36:45 2012
New Revision: 244385
URL: http://svnweb.freebsd.org/changeset/base/244385

Log:
  - Add sysctl to allow unprivileged users to call mlock(2)-family system
    calls and turn it on.
  - Do not allow to call them inside jail. [1]
  
  Pointed out by:	trasz [1]
  Reviewed by:	avg
  Approved by:	kib (mentor)
  MFC after:	1 week

Modified:
  head/sys/kern/kern_priv.c

Modified: head/sys/kern/kern_priv.c
==============================================================================
--- head/sys/kern/kern_priv.c	Tue Dec 18 07:35:01 2012	(r244384)
+++ head/sys/kern/kern_priv.c	Tue Dec 18 07:36:45 2012	(r244385)
@@ -59,6 +59,11 @@ SYSCTL_INT(_security_bsd, OID_AUTO, suse
     &suser_enabled, 0, "processes with uid 0 have privilege");
 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
 
+static int	unprivileged_mlock = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RW|CTLFLAG_TUN,
+    &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");
+TUNABLE_INT("security.bsd.unprivileged_mlock", &unprivileged_mlock);
+
 SDT_PROVIDER_DEFINE(priv);
 SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_ok, priv-ok, "int");
 SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_err, priv-err, "int");
@@ -93,6 +98,19 @@ priv_check_cred(struct ucred *cred, int 
 	if (error)
 		goto out;
 
+	if (unprivileged_mlock) {
+		/*
+		 * Allow unprivileged users to call mlock(2)/munlock(2) and
+		 * mlockall(2)/munlockall(2).
+		 */
+		switch (priv) {
+			case PRIV_VM_MLOCK:
+			case PRIV_VM_MUNLOCK:
+				error = 0;
+				goto out;
+		}
+	}
+
 	/*
 	 * Having determined if privilege is restricted by various policies,
 	 * now determine if privilege is granted.  At this point, any policy

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212180736.qBI7aj4K086137>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation