Date: Thu, 2 Feb 2017 18:54:28 +0300 From: Pavel Timofeev <timp87@gmail.com> To: Xin LI <delphij@gmail.com> Cc: =?UTF-8?B?QnJ1bm8gTGF1esOp?= <brunolauze@msn.com>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: mlock and jail Message-ID: <CAAoTqfszta3Jj0nW3yN2SXG1seNibhYAs2NGEy6=652EOY2j0w@mail.gmail.com> In-Reply-To: <CAGMYy3s1izaqZaFrq6Ycxr7KFq_wQEPTo=wMpObRVPbxkttJQg@mail.gmail.com> References: <SN1PR16MB0640DDC0DACEF22A63E7467FC64D0@SN1PR16MB0640.namprd16.prod.outlook.com> <CAGMYy3s1izaqZaFrq6Ycxr7KFq_wQEPTo=wMpObRVPbxkttJQg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2017-02-02 4:31 GMT+03:00 Xin LI <delphij@gmail.com>: > I like this idea. > > Note that potentially your patch would make it possible for a jailed > root to DoS the whole system by locking too much of pages in memory. > I think it would be sensible to provide a per-jail flag to enable > doing it, or better, have some finer grained control (e.g. per jail > quota of permitted locked pages). > > Why did the application want to lock pages in main memory, though? For example, this secret management tool https://www.vaultproject.io/docs/config/ wants to lock memory for security (surprise) reason. It's available as security/vault in our ports tree. > > On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauz=C3=A9 <brunolauze@msn.com> wro= te: >> >> I would like to ask if there is a reason I would have to applythe patch= below to make an application work in a jail. >> And who's bad? the app too intrusive or the bsd not flexible enough (all= ow.mlock?) >> >> >> Index: sys/kern/kern_jail.c >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> --- sys/kern/kern_jail.c (revision 313033) >> +++ sys/kern/kern_jail.c (working copy) >> @@ -3340,6 +3340,11 @@ >> case PRIV_PROC_SETLOGINCLASS: >> return (0); >> >> >> + case PRIV_VM_MADV_PROTECT: >> + case PRIV_VM_MLOCK: >> + case PRIV_VM_MUNLOCK: >> + return (0); >> + >> default: >> >> >> _______________________________________________
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAoTqfszta3Jj0nW3yN2SXG1seNibhYAs2NGEy6=652EOY2j0w>