From owner-freebsd-gnome@FreeBSD.ORG Sat Apr 12 18:29:27 2008 Return-Path: Delivered-To: gnome@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19D851065670 for ; Sat, 12 Apr 2008 18:29:27 +0000 (UTC) (envelope-from cokane@freebsd.org) Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id D4DAE8FC0A for ; Sat, 12 Apr 2008 18:29:26 +0000 (UTC) (envelope-from cokane@freebsd.org) Received: from OMTA12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id CiDk1Z00A0x6nqcA501400; Sat, 12 Apr 2008 18:27:16 +0000 Received: from discordia ([24.60.135.75]) by OMTA12.emeryville.ca.mail.comcast.net with comcast id CiVL1Z0021dmTCQ8Y00000; Sat, 12 Apr 2008 18:29:21 +0000 X-Authority-Analysis: v=1.0 c=1 a=6I5d2MoRAAAA:8 a=3OAolos50BWa4Y9lix8A:9 a=mX_m1Iw1QNPUfP8sB36dTMkuTdcA:4 a=UWo3Rh38mxcA:10 a=LY0hPdMaydYA:10 Received: by discordia (Postfix, from userid 103) id E48941636F9; Sat, 12 Apr 2008 14:29:19 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.1.8-gr1 (2007-02-13) on discordia X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.8-gr1 Received: from [172.20.1.3] (erwin.int.cokane.org [172.20.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by discordia (Postfix) with ESMTP id 6E9DB1636F8; Sat, 12 Apr 2008 14:29:09 -0400 (EDT) From: Coleman Kane To: Jeremy Messenger In-Reply-To: References: <47FD09AC.2020907@FreeBSD.org> <1207776230.61729.28.camel@shumai.marcuscom.com> <47FD34E8.2000005@FreeBSD.org> <1207807915.61729.40.camel@shumai.marcuscom.com> <1208022563.82222.22.camel@shumai.marcuscom.com> Content-Type: text/plain Organization: FreeBSD Project Date: Sat, 12 Apr 2008 14:28:54 -0400 Message-Id: <1208024934.1327.9.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.22.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: gnome@freebsd.org Subject: Re: Seahorse issues X-BeenThere: freebsd-gnome@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GNOME for FreeBSD -- porting and maintaining List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 18:29:27 -0000 On Sat, 2008-04-12 at 13:19 -0500, Jeremy Messenger wrote: > On Sat, 12 Apr 2008 12:49:23 -0500, Joe Marcus Clarke > wrote: > > > On Sat, 2008-04-12 at 12:42 -0500, Jeremy Messenger wrote: > >> On Thu, 10 Apr 2008 01:11:55 -0500, Joe Marcus Clarke > >> wrote: > >> > >> > >> > The problem is the fact that FreeBSD's mlock() requires setuid > >> > privileges, and thus seahorse cannot allocate secure memory. The > >> > >> Yesterday, I have found archives about mlock() in freebsd-arch@. > >> > >> http://lists.freebsd.org/pipermail/freebsd-arch/2006-July/005496.html > > > > Yes, this thread talks about the problem exactly. The patch I just sent > > out attempts to address this concern using a user-settable sysctl. > > Peter is suggesting this be handled automatically by setting a > > reasonable default limit on RLIMIT_MEMLOCK. > > Yeah and even rwatson liked his suggest. I like automatically better, but > tweak in sysctl is fine with me too. Some hardcore probably prefer sysctl > than automatically one. > > >> It leads to: > >> > >> http://people.freebsd.org/~kib/overcommit/index.html > >> > >> I am not sure if it's useful for this issue. > > > > This doesn't look like it will help this issue. This is dealing with > > overcommitting swap. > > It's what I though so. > > Cheers, > Mezz > > > Joe > If we could turn this into a per-user, system-wide value, I think that would be the best approach. However, this probably ends up violating the canonical meaning of RLIMIT_MEMLOCK (if there is even a standard set-in-stone meaning for it). I am curious if we could use something like the MAC facility to provide a method for preventing mlock() access to some non-root users, while providing it to others. -- Coleman Kane