Page MenuHomeFreeBSD
Files F110649669

D16342.id45988.diff
No OneTemporary
Actions

D16342.id45988.diff
View Options

Index: head/sys/kern/kern_jail.c
===================================================================
--- head/sys/kern/kern_jail.c
+++ head/sys/kern/kern_jail.c
@@ -190,6 +190,7 @@
{"allow.mount", "allow.nomount", PR_ALLOW_MOUNT},
{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS},
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF},
+ {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK},
{"allow.reserved_ports", "allow.noreserved_ports",
PR_ALLOW_RESERVED_PORTS},
};
@@ -3293,6 +3294,17 @@
return (EPERM);
/*
+ * Conditionnaly allow locking (unlocking) physical pages
+ * in memory.
+ */
+ case PRIV_VM_MLOCK:
+ case PRIV_VM_MUNLOCK:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK)
+ return (0);
+ else
+ return (EPERM);
+
+ /*
* Conditionally allow jailed root to bind reserved ports.
*/
case PRIV_NETINET_RESERVEDPORT:
@@ -3752,6 +3764,8 @@
"B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may lock (unlock) physical pages in memory");
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may bind sockets to reserved ports");
Index: head/sys/sys/jail.h
===================================================================
--- head/sys/sys/jail.h
+++ head/sys/sys/jail.h
@@ -227,9 +227,10 @@
#define PR_ALLOW_MOUNT 0x00000010
#define PR_ALLOW_QUOTAS 0x00000020
#define PR_ALLOW_SOCKET_AF 0x00000040
+#define PR_ALLOW_MLOCK 0x00000080
#define PR_ALLOW_RESERVED_PORTS 0x00008000
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
-#define PR_ALLOW_ALL_STATIC 0x0001807f
+#define PR_ALLOW_ALL_STATIC 0x000180ff
/*
* OSD methods
Index: head/usr.sbin/jail/jail.8
===================================================================
--- head/usr.sbin/jail/jail.8
+++ head/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 20, 2018
+.Dd July 29, 2018
.Dt JAIL 8
.Os
.Sh NAME
@@ -553,6 +553,16 @@
Sockets within a jail are normally restricted to IPv4, IPv6, local
(UNIX), and route. This allows access to other protocol stacks that
have not had jail functionality added to them.
+.It Va allow.mlock
+Locking or unlocking physical pages in memory are normally not available
+within a jail.
+When this parameter is set, users may
+.Xr mlock 2
+or
+.Xr munlock 2
+memory subject to
+.Va security.bsd.unprivileged_mlock
+and resource limits.
.It Va allow.reserved_ports
The jail root may bind to ports lower than 1024.
.El

File Metadata

Mime Type
text/plain
Expires
Sat, Feb 22, 10:59 AM (1 h, 31 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16769984
Default Alt Text
D16342.id45988.diff (2 KB)

Event Timeline