Re: mlock and jail

From: Pavel Timofeev <timp87_at_gmail.com>
Date: Thu, 2 Feb 2017 18:54:28 +0300
2017-02-02 4:31 GMT+03:00 Xin LI <delphij_at_gmail.com>:
> I like this idea.
>
> Note that potentially your patch would make it possible for a jailed
> root to DoS the whole system by locking too much of pages in memory.
> I think it would be sensible to provide a per-jail flag to enable
> doing it, or better, have some finer grained control (e.g. per jail
> quota of permitted locked pages).
>
> Why did the application want to lock pages in main memory, though?

For example, this secret management tool
https://www.vaultproject.io/docs/config/ wants to lock memory for
security (surprise) reason.
It's available as security/vault in our ports tree.

>
> On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunolauze_at_msn.com> wrote:
>>
>> I would like to ask if there is a reason I would have to applythe  patch below to make an application work in a jail.
>> And who's bad? the app too intrusive or the bsd not flexible enough (allow.mlock?)
>>
>>
>> Index: sys/kern/kern_jail.c
>> ===================================================================
>> --- sys/kern/kern_jail.c        (revision 313033)
>> +++ sys/kern/kern_jail.c        (working copy)
>> _at__at_ -3340,6 +3340,11 _at__at_
>>         case PRIV_PROC_SETLOGINCLASS:
>>                 return (0);
>>
>>
>> +        case PRIV_VM_MADV_PROTECT:
>> +        case PRIV_VM_MLOCK:
>> +        case PRIV_VM_MUNLOCK:
>> +                return (0);
>> +
>>         default:
>>
>>
>> _______________________________________________
Received on Thu Feb 02 2017 - 14:54:30 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:10 UTC