2017-02-02 4:31 GMT+03:00 Xin LI <delp...@gmail.com>: > I like this idea. > > Note that potentially your patch would make it possible for a jailed > root to DoS the whole system by locking too much of pages in memory. > I think it would be sensible to provide a per-jail flag to enable > doing it, or better, have some finer grained control (e.g. per jail > quota of permitted locked pages). > > Why did the application want to lock pages in main memory, though?
For example, this secret management tool https://www.vaultproject.io/docs/config/ wants to lock memory for security (surprise) reason. It's available as security/vault in our ports tree. > > On Wed, Feb 1, 2017 at 3:52 PM, Bruno Lauzé <brunola...@msn.com> wrote: >> >> I would like to ask if there is a reason I would have to applythe patch >> below to make an application work in a jail. >> And who's bad? the app too intrusive or the bsd not flexible enough >> (allow.mlock?) >> >> >> Index: sys/kern/kern_jail.c >> =================================================================== >> --- sys/kern/kern_jail.c (revision 313033) >> +++ sys/kern/kern_jail.c (working copy) >> @@ -3340,6 +3340,11 @@ >> case PRIV_PROC_SETLOGINCLASS: >> return (0); >> >> >> + case PRIV_VM_MADV_PROTECT: >> + case PRIV_VM_MLOCK: >> + case PRIV_VM_MUNLOCK: >> + return (0); >> + >> default: >> >> >> _______________________________________________ _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
