mlock and jail

Pavel Timofeev timp87 at gmail.com
Thu Feb 2 15:54:30 UTC 2017


2017-02-02 4:31 GMT+03:00 Xin LI <delphij at gmail.com>:
> I like this idea.
>
> Note that potentially your patch would make it possible for a jailed
> root to DoS the whole system by locking too much of pages in memory.
> I think it would be sensible to provide a per-jail flag to enable
> doing it, or better, have some finer grained control (e.g. per jail
> quota of permitted locked pages).
>
> Why did the application want to lock pages in main memory, though?

For example, this secret management tool
https://www.vaultproject.io/docs/config/ wants to lock memory for
security (surprise) reason.
It's available as security/vault in our ports tree.

>
> On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunolauze at msn.com> wrote:
>>
>> I would like to ask if there is a reason I would have to applythe  patch below to make an application work in a jail.
>> And who's bad? the app too intrusive or the bsd not flexible enough (allow.mlock?)
>>
>>
>> Index: sys/kern/kern_jail.c
>> ===================================================================
>> --- sys/kern/kern_jail.c        (revision 313033)
>> +++ sys/kern/kern_jail.c        (working copy)
>> @@ -3340,6 +3340,11 @@
>>         case PRIV_PROC_SETLOGINCLASS:
>>                 return (0);
>>
>>
>> +        case PRIV_VM_MADV_PROTECT:
>> +        case PRIV_VM_MLOCK:
>> +        case PRIV_VM_MUNLOCK:
>> +                return (0);
>> +
>>         default:
>>
>>
>> _______________________________________________


More information about the freebsd-current mailing list