2017-02-02 4:31 GMT+03:00 Xin LI <delphij_at_gmail.com>: > I like this idea. > > Note that potentially your patch would make it possible for a jailed > root to DoS the whole system by locking too much of pages in memory. > I think it would be sensible to provide a per-jail flag to enable > doing it, or better, have some finer grained control (e.g. per jail > quota of permitted locked pages). > > Why did the application want to lock pages in main memory, though? For example, this secret management tool https://www.vaultproject.io/docs/config/ wants to lock memory for security (surprise) reason. It's available as security/vault in our ports tree. > > On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunolauze_at_msn.com> wrote: >> >> I would like to ask if there is a reason I would have to applythe patch below to make an application work in a jail. >> And who's bad? the app too intrusive or the bsd not flexible enough (allow.mlock?) >> >> >> Index: sys/kern/kern_jail.c >> =================================================================== >> --- sys/kern/kern_jail.c (revision 313033) >> +++ sys/kern/kern_jail.c (working copy) >> _at__at_ -3340,6 +3340,11 _at__at_ >> case PRIV_PROC_SETLOGINCLASS: >> return (0); >> >> >> + case PRIV_VM_MADV_PROTECT: >> + case PRIV_VM_MLOCK: >> + case PRIV_VM_MUNLOCK: >> + return (0); >> + >> default: >> >> >> _______________________________________________Received on Thu Feb 02 2017 - 14:54:30 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:10 UTC