memory locking in a jail?

Robert Watson rwatson at freebsd.org
Mon Nov 17 09:03:27 PST 2003


On Sat, 15 Nov 2003, Marc G. Fournier wrote:

> With gpg setuid root, I'm getting the following 'insecure memory' issue
> when running inside of a jail: 
> 
> gpg: WARNING: using insecure memory! 
> 
> from the FAQ, it has to do with memory locking ... is this something
> that can't be done inside of a jail?  Or just an issue with jail in 4.x? 

FreeBSD requires privilege to lock pages in memory; right now, that
privilege check does not allow mlock() to be used in a jail.  You can
modify that privilege check locally to permit privileged users in jail()
to use mlock() by editing vm_mmap.c to pass the PRISON_ROOT flag into
suser_cred() or suser_xxx(), depending on whether you're using -CURRENT or
-STABLE.

There's #ifdef'd out code that permits locking of memory for unprivileged
processes based on a resource limit, but I'm not sufficiently familiar
with the history of that to comment on which it's commented out. Locked
memory is a very precious resource, though, so any reduction of the
privilege level necessary to lock memory needs to be thought through very
carefully, and in the context of any past history of the issue. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories



More information about the freebsd-stable mailing list