svn commit: r336868 - in head: sys/kern sys/sys usr.sbin/jail

[Antoine Brodin]

Author: antoine
Date: Sun Jul 29 12:41:56 2018
New Revision: 336868
URL: https://svnweb.freebsd.org/changeset/base/336868

Log:
  Add allow.mlock to jail parameters
  It allows locking or unlocking physical pages in memory within a jail
  
  This allows running elasticsearch with "bootstrap.memory_lock" inside a jail
  
  Reviewed by:	jamie@
  Differential Revision:	https://reviews.freebsd.org/D16342

Modified:
  head/sys/kern/kern_jail.c
  head/sys/sys/jail.h
  head/usr.sbin/jail/jail.8

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c	Sun Jul 29 08:43:08 2018	(r336867)
+++ head/sys/kern/kern_jail.c	Sun Jul 29 12:41:56 2018	(r336868)
@@ -190,6 +190,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = 
 	{"allow.mount", "allow.nomount", PR_ALLOW_MOUNT},
 	{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS},
 	{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF},
+	{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK},
 	{"allow.reserved_ports", "allow.noreserved_ports",
 	 PR_ALLOW_RESERVED_PORTS},
 };
@@ -3293,6 +3294,17 @@ prison_priv_check(struct ucred *cred, int priv)
 			return (EPERM);
 
 		/*
+		 * Conditionnaly allow locking (unlocking) physical pages
+		 * in memory.
+		 */
+	case PRIV_VM_MLOCK:
+	case PRIV_VM_MUNLOCK:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK)
+			return (0);
+		else
+			return (EPERM);
+
+		/*
 		 * Conditionally allow jailed root to bind reserved ports.
 		 */
 	case PRIV_NETINET_RESERVEDPORT:
@@ -3752,6 +3764,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLA
     "B", "Jail may set file quotas");
 SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may lock (unlock) physical pages in memory");
 SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may bind sockets to reserved ports");
 

Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h	Sun Jul 29 08:43:08 2018	(r336867)
+++ head/sys/sys/jail.h	Sun Jul 29 12:41:56 2018	(r336868)
@@ -227,9 +227,10 @@ struct prison_racct {
 #define	PR_ALLOW_MOUNT			0x00000010
 #define	PR_ALLOW_QUOTAS			0x00000020
 #define	PR_ALLOW_SOCKET_AF		0x00000040
+#define	PR_ALLOW_MLOCK			0x00000080
 #define	PR_ALLOW_RESERVED_PORTS		0x00008000
 #define	PR_ALLOW_KMEM_ACCESS		0x00010000	/* reserved, not used yet */
-#define	PR_ALLOW_ALL_STATIC		0x0001807f
+#define	PR_ALLOW_ALL_STATIC		0x000180ff
 
 /*
  * OSD methods

Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8	Sun Jul 29 08:43:08 2018	(r336867)
+++ head/usr.sbin/jail/jail.8	Sun Jul 29 12:41:56 2018	(r336868)
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 20, 2018
+.Dd July 29, 2018
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -553,6 +553,16 @@ with non-jailed parts of the system.
 Sockets within a jail are normally restricted to IPv4, IPv6, local
 (UNIX), and route.  This allows access to other protocol stacks that
 have not had jail functionality added to them.
+.It Va allow.mlock
+Locking or unlocking physical pages in memory are normally not available
+within a jail.
+When this parameter is set, users may
+.Xr mlock 2
+or
+.Xr munlock 2
+memory subject to
+.Va security.bsd.unprivileged_mlock
+and resource limits.
 .It Va allow.reserved_ports
 The jail root may bind to ports lower than 1024.
 .El