On 7/7/2020 1:39 AM, Dmitry Kozlyuk wrote:
On Tue, 7 Jul 2020 08:04:00 +0000, Tal Shnaiderman wrote:
Dmitry, It looks like we got to this stage since hugepage_claim_privilege() cannot
actually detect that "Lock pages" isn't granted to the current user, as a
result we fail on the first usage of a memory management call [in this case rte_calloc()]
without indication to the reason.
Is it possible to add an actual check that the current user is in the list of
grantees?
Thanks, I'll look into it.
Alternatively, It would be great to have this privilege added programmatically,
I tried the MSDN example in [2] but it didn't work for me while testing, maybe
Microsoft team can check if there is a way to do it?
I don't think it's a good idea from security perspective if an application
grants its user new privileges implicitly. Process with SeLockMemory
privilege can affect overall system performance and stability.
I agree. This is something we forbid, when we do security reviews for
our other products here inside Intel.
Best to have the user explicitly acquire this privilege.
ranjit m.
