From owner-freebsd-current@freebsd.org  Thu Feb  2 01:31:38 2017
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8A67CCCBE1
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Thu,  2 Feb 2017 01:31:38 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com
 [IPv6:2a00:1450:400c:c09::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3F330AB4
 for <freebsd-current@freebsd.org>; Thu,  2 Feb 2017 01:31:38 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: by mail-wm0-x22a.google.com with SMTP id b65so67004290wmf.0
 for <freebsd-current@freebsd.org>; Wed, 01 Feb 2017 17:31:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=inHQTkb4FQfV/R5KbZNrrgDqlEvYU+KETepBtclNQkk=;
 b=Y8ygKeXly/WxCUYJ/WkvA0pWfoSkh2yI4Qn3t53F+Wjv+zJEuONiVQvtcQvzeVoYrS
 NBQr+MhToRAoddWjnxFsk7JkuVOP88kgyw3p1Vi1NMw3pJqj0+6+zVNt2O22TsAiQKuA
 eDlFZLK0SITspNkgkb/H12nCwiORQB4tInCb9NQlzBPiFiLhLeSWok9rCg4LInEp2bU+
 ihdnsiM4fxq2zY0nvVNZiU6cHOMMKxfhIF8LtK73Irh/R21DNAw1Z+80vyMt3bCTScTw
 b26zEfP+gaU1PSaZLcqjY7zjb+oxHZBYUmdloctMye0IcC+X1oKvphaJCxMp5fXiDFnE
 o/iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=inHQTkb4FQfV/R5KbZNrrgDqlEvYU+KETepBtclNQkk=;
 b=izmMngE5yBZj1+Hi5wYg6pcNpYBCSqcj39PagWhcXmWpFdvemE+1c4d3ocN3jhXO1n
 b1OEhlWDaW2kR4crkGakmf79Om0txl1Mzj+kC6kMfimTNQKULi/mI/LAwKS1rDzrMDyt
 xPFYH7OqyYfXHdgjSVFxyKyqs5GmrVthbTqVoq2abtFSQhwWOEnYuW5SMUi1YgBttOkR
 Fm5ip8dub9W5BlSSpcAIJbJ7A50YZU6RLa5TfZhNMr0i53RwjTQkzqgjV28LebAYHFz5
 JxTbGXGYb8ZMkUWDRjLwIe80opkR5vorY5driViAIEnfs7mulyxUAZimyQhdxJeFs2/S
 L1wg==
X-Gm-Message-State: AIkVDXI3tdIR6sA1Ml7+9nPuMDpYMA2cD70Ffc43wkOT7H7FKafFOKOR/+HxJpOGTFT6KR9vFr7+thvonjNX0w==
X-Received: by 10.223.151.99 with SMTP id r90mr4872588wrb.183.1485999096543;
 Wed, 01 Feb 2017 17:31:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.145.133 with HTTP; Wed, 1 Feb 2017 17:31:35 -0800 (PST)
In-Reply-To: <SN1PR16MB0640DDC0DACEF22A63E7467FC64D0@SN1PR16MB0640.namprd16.prod.outlook.com>
References: <SN1PR16MB0640DDC0DACEF22A63E7467FC64D0@SN1PR16MB0640.namprd16.prod.outlook.com>
From: Xin LI <delphij@gmail.com>
Date: Wed, 1 Feb 2017 17:31:35 -0800
Message-ID: <CAGMYy3s1izaqZaFrq6Ycxr7KFq_wQEPTo=wMpObRVPbxkttJQg@mail.gmail.com>
Subject: Re: mlock and jail
To: =?UTF-8?B?QnJ1bm8gTGF1esOp?= <brunolauze@msn.com>
Cc: freebsd-current <freebsd-current@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 01:31:38 -0000

I like this idea.

Note that potentially your patch would make it possible for a jailed
root to DoS the whole system by locking too much of pages in memory.
I think it would be sensible to provide a per-jail flag to enable
doing it, or better, have some finer grained control (e.g. per jail
quota of permitted locked pages).

Why did the application want to lock pages in main memory, though?

On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauz=C3=A9 <brunolauze@msn.com> wrote=
:
>
> I would like to ask if there is a reason I would have to applythe  patch =
below to make an application work in a jail.
> And who's bad? the app too intrusive or the bsd not flexible enough (allo=
w.mlock?)
>
>
> Index: sys/kern/kern_jail.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- sys/kern/kern_jail.c        (revision 313033)
> +++ sys/kern/kern_jail.c        (working copy)
> @@ -3340,6 +3340,11 @@
>         case PRIV_PROC_SETLOGINCLASS:
>                 return (0);
>
>
> +        case PRIV_VM_MADV_PROTECT:
> +        case PRIV_VM_MLOCK:
> +        case PRIV_VM_MUNLOCK:
> +                return (0);
> +
>         default:
>
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"