Allow small amount of memory be mlock()'ed by unprivileged
process?
Andriy Gapon
avg at FreeBSD.org
Thu May 31 12:24:25 UTC 2012
on 17/05/2012 08:54 Christoph Hellwig said the following:
> Linux has added a RLIMIT_MEMLOCK opcode for setrlimit that allows
> controlling the amount of memory users can lock down, with a default
> of a single page for unprivilegued processes.
In fact, FreeBSD also has this rlimit and there seems to be full support for it on
both user and kernel sides.
OTOH, PRIV_VM_MLOCK privilege seems to be granted only to the super-user in the
default configuration. And this privilege kind of defeats the limit.
Perhaps, we should/could kill the privilege and set the limit to a sufficiently
small/safe value for ordinary users?
P.S.
Some MAC code has this comment:
/*
* Allow VM privileges; it would be nice if these were subject to
* resource limits.
*/
case PRIV_VM_MADV_PROTECT:
case PRIV_VM_MLOCK:
In the case of PRIV_VM_MLOCK it would be nice if one hand knew what the other is
doing :-)
P.P.S.
I would really like to see RLIMIT_NICE and RLIMIT_RTPRIO in FreeBSD.
--
Andriy Gapon
More information about the freebsd-arch
mailing list