[patch] unprivileged mlock(2)

Andrey Zonov zont at FreeBSD.org
Sun Sep 16 17:53:47 UTC 2012 

On 9/5/12 10:44 AM, Andriy Gapon wrote:
> on 04/09/2012 22:17 Andrey Zonov said the following:
>> On 9/4/12 8:45 PM, Andriy Gapon wrote:
>>> on 30/08/2012 12:06 Andrey Zonov said the following:
>>>> Hi,
>>>>
>>>> So, I've got the first version of the patch (attached) which fixes 
>>>> memory locked limit checking and accounting.
>>>
>>> Andrey,
>>>
>>> your mlock.patch looks good to me, but I haven't verified pieces under
>>> RACCT. Please try to get a review from a person who is knee-deep in the
>>> VM code like alc or your mentor.
>>>
>>
>> Thanks for review!
>>
>>> The code should also be sent for vetoing to security at .  Not sure if you
>>> would get a review there, but absence of nays would be good.
>>>
>>> When the code is ready to be committed, please remember about 
>>> memorylocked=unlimited in the default entry of the default login.conf.  A
>>> big warning about it will have to be posted (in UPDATING and
>>> current@/stable@ at the very least).
>>>
>>
>> After that amd(8), geli(8) and watchdogd(8) will be broken, because they 
>> call mlockall(2).  ntpd(8) won't, it already raises its RLIMIT_MEMLOCK. I
>> will prepare patches for raising limits if there is no other solution.
> 
> Thanks for working on this.
> BTW, I am not sure why those applications would get broken...
> We could/should still have memorylocked=unlimited for the 'root' class.
> Or is it about something else?
> 

Hmm, I thought that root login class commented out.

>>> Thank you very much for doing this work.
>>>
>>> P.S.  It would probably make sense to provide some HTTP home for this
>>> patch as well.
>>>
>>
>> Updated patch is here [1].
>>
>> [1] http://people.freebsd.org/~zont/mlock1.patch
>>
> 
> Thank you!
> One additional thing - we probably should retire PRIV_VM_MLOCK and
> PRIV_VM_MUNLOCK.  That would include making changes to
> sys/i386/ibcs2/ibcs2_misc.c and sys/ofed/drivers/infiniband/core/umem.c.
> 

They are useful for jails as trasz@ mentioned on IRC.

> P.S. PRIV_VM_MUNLOCK _privilege_ feels a little bit weird.  I wonder what was
> the intended use for it (if any)...
> 

So, here is the second version of the patch [1].

[1] http://people.freebsd.org/~zont/mlock2.patch

-- 
Andrey Zonov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20120916/2e5e217d/signature.pgp

More information about the freebsd-arch mailing list