Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Feb 2017 18:54:28 +0300
From:      Pavel Timofeev <timp87@gmail.com>
To:        Xin LI <delphij@gmail.com>
Cc:        =?UTF-8?B?QnJ1bm8gTGF1esOp?= <brunolauze@msn.com>,  freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: mlock and jail
Message-ID:  <CAAoTqfszta3Jj0nW3yN2SXG1seNibhYAs2NGEy6=652EOY2j0w@mail.gmail.com>
In-Reply-To: <CAGMYy3s1izaqZaFrq6Ycxr7KFq_wQEPTo=wMpObRVPbxkttJQg@mail.gmail.com>
References:  <SN1PR16MB0640DDC0DACEF22A63E7467FC64D0@SN1PR16MB0640.namprd16.prod.outlook.com> <CAGMYy3s1izaqZaFrq6Ycxr7KFq_wQEPTo=wMpObRVPbxkttJQg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
2017-02-02 4:31 GMT+03:00 Xin LI <delphij@gmail.com>:
> I like this idea.
>
> Note that potentially your patch would make it possible for a jailed
> root to DoS the whole system by locking too much of pages in memory.
> I think it would be sensible to provide a per-jail flag to enable
> doing it, or better, have some finer grained control (e.g. per jail
> quota of permitted locked pages).
>
> Why did the application want to lock pages in main memory, though?

For example, this secret management tool
https://www.vaultproject.io/docs/config/ wants to lock memory for
security (surprise) reason.
It's available as security/vault in our ports tree.

>
> On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauz=C3=A9 <brunolauze@msn.com> wro=
te:
>>
>> I would like to ask if there is a reason I would have to applythe  patch=
 below to make an application work in a jail.
>> And who's bad? the app too intrusive or the bsd not flexible enough (all=
ow.mlock?)
>>
>>
>> Index: sys/kern/kern_jail.c
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> --- sys/kern/kern_jail.c        (revision 313033)
>> +++ sys/kern/kern_jail.c        (working copy)
>> @@ -3340,6 +3340,11 @@
>>         case PRIV_PROC_SETLOGINCLASS:
>>                 return (0);
>>
>>
>> +        case PRIV_VM_MADV_PROTECT:
>> +        case PRIV_VM_MLOCK:
>> +        case PRIV_VM_MUNLOCK:
>> +                return (0);
>> +
>>         default:
>>
>>
>> _______________________________________________

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAoTqfszta3Jj0nW3yN2SXG1seNibhYAs2NGEy6=652EOY2j0w>