svn commit: r244385 - head/sys/kern
Andrey Zonov
zont at FreeBSD.org
Tue Dec 18 07:36:46 UTC 2012
Author: zont
Date: Tue Dec 18 07:36:45 2012
New Revision: 244385
URL: http://svnweb.freebsd.org/changeset/base/244385
Log:
- Add sysctl to allow unprivileged users to call mlock(2)-family system
calls and turn it on.
- Do not allow to call them inside jail. [1]
Pointed out by: trasz [1]
Reviewed by: avg
Approved by: kib (mentor)
MFC after: 1 week
Modified:
head/sys/kern/kern_priv.c
Modified: head/sys/kern/kern_priv.c
==============================================================================
--- head/sys/kern/kern_priv.c Tue Dec 18 07:35:01 2012 (r244384)
+++ head/sys/kern/kern_priv.c Tue Dec 18 07:36:45 2012 (r244385)
@@ -59,6 +59,11 @@ SYSCTL_INT(_security_bsd, OID_AUTO, suse
&suser_enabled, 0, "processes with uid 0 have privilege");
TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
+static int unprivileged_mlock = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RW|CTLFLAG_TUN,
+ &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");
+TUNABLE_INT("security.bsd.unprivileged_mlock", &unprivileged_mlock);
+
SDT_PROVIDER_DEFINE(priv);
SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_ok, priv-ok, "int");
SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_err, priv-err, "int");
@@ -93,6 +98,19 @@ priv_check_cred(struct ucred *cred, int
if (error)
goto out;
+ if (unprivileged_mlock) {
+ /*
+ * Allow unprivileged users to call mlock(2)/munlock(2) and
+ * mlockall(2)/munlockall(2).
+ */
+ switch (priv) {
+ case PRIV_VM_MLOCK:
+ case PRIV_VM_MUNLOCK:
+ error = 0;
+ goto out;
+ }
+ }
+
/*
* Having determined if privilege is restricted by various policies,
* now determine if privilege is granted. At this point, any policy
More information about the svn-src-head
mailing list