mlock and jail
Xin LI
delphij at gmail.com
Thu Feb 2 01:31:38 UTC 2017
I like this idea.
Note that potentially your patch would make it possible for a jailed
root to DoS the whole system by locking too much of pages in memory.
I think it would be sensible to provide a per-jail flag to enable
doing it, or better, have some finer grained control (e.g. per jail
quota of permitted locked pages).
Why did the application want to lock pages in main memory, though?
On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunolauze at msn.com> wrote:
>
> I would like to ask if there is a reason I would have to applythe patch below to make an application work in a jail.
> And who's bad? the app too intrusive or the bsd not flexible enough (allow.mlock?)
>
>
> Index: sys/kern/kern_jail.c
> ===================================================================
> --- sys/kern/kern_jail.c (revision 313033)
> +++ sys/kern/kern_jail.c (working copy)
> @@ -3340,6 +3340,11 @@
> case PRIV_PROC_SETLOGINCLASS:
> return (0);
>
>
> + case PRIV_VM_MADV_PROTECT:
> + case PRIV_VM_MLOCK:
> + case PRIV_VM_MUNLOCK:
> + return (0);
> +
> default:
>
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list