Date: Thu, 31 May 2012 15:23:57 +0300 From: Andriy Gapon <avg@FreeBSD.org> To: Christoph Hellwig <hch@infradead.org>, d@delphij.net, freebsd-arch@FreeBSD.org Cc: Eitan Adler <lists@eitanadler.com>, Adrian Chadd <adrian@FreeBSD.org>, =?ISO-8859-1?Q?Dag-Erling_Sm=F8?=, =?ISO-8859-1?Q?rgrav?= <des@des.no> Subject: Re: Allow small amount of memory be mlock()'ed by unprivileged process? Message-ID: <4FC762DD.90101@FreeBSD.org> In-Reply-To: <20120517055425.GA802@infradead.org> References: <4FAC3EAB.6050303@delphij.net> <861umkurt8.fsf@ds4.des.no> <CAJ-VmokY%2Bpgcq999NHShbq-3rK3=oeWT2WY7NmTvVdXOHZJhdg@mail.gmail.com> <CAF6rxgmDW21aPJ5Mp6Tbk1z02ivw4UPhSaNEX%2BWiu7O0v13skA@mail.gmail.com> <20120517055425.GA802@infradead.org>
next in thread | previous in thread | raw e-mail | index | archive | help
on 17/05/2012 08:54 Christoph Hellwig said the following: > Linux has added a RLIMIT_MEMLOCK opcode for setrlimit that allows > controlling the amount of memory users can lock down, with a default > of a single page for unprivilegued processes. In fact, FreeBSD also has this rlimit and there seems to be full support for it on both user and kernel sides. OTOH, PRIV_VM_MLOCK privilege seems to be granted only to the super-user in the default configuration. And this privilege kind of defeats the limit. Perhaps, we should/could kill the privilege and set the limit to a sufficiently small/safe value for ordinary users? P.S. Some MAC code has this comment: /* * Allow VM privileges; it would be nice if these were subject to * resource limits. */ case PRIV_VM_MADV_PROTECT: case PRIV_VM_MLOCK: In the case of PRIV_VM_MLOCK it would be nice if one hand knew what the other is doing :-) P.P.S. I would really like to see RLIMIT_NICE and RLIMIT_RTPRIO in FreeBSD. -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FC762DD.90101>