diff options
| author | Antoine Brodin <antoine@FreeBSD.org> | 2018-07-29 12:41:56 +0000 |
|---|---|---|
| committer | Antoine Brodin <antoine@FreeBSD.org> | 2018-07-29 12:41:56 +0000 |
| commit | ccd6ac9f6e5c1f92c0ce92de1f037a1b5d7716cb (patch) | |
| tree | 862506675d558cefa879d5d9ae9f69877d7fc805 | |
| parent | fc67c746c0555b7425e5d81c7a5802e1071d75bb (diff) | |
Notes
| -rw-r--r-- | sys/kern/kern_jail.c | 14 | ||||
| -rw-r--r-- | sys/sys/jail.h | 3 | ||||
| -rw-r--r-- | usr.sbin/jail/jail.8 | 12 |
3 files changed, 27 insertions, 2 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index f5ecfba709b5..bd72c90f4a49 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -190,6 +190,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, + {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, {"allow.reserved_ports", "allow.noreserved_ports", PR_ALLOW_RESERVED_PORTS}, }; @@ -3293,6 +3294,17 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* + * Conditionnaly allow locking (unlocking) physical pages + * in memory. + */ + case PRIV_VM_MLOCK: + case PRIV_VM_MUNLOCK: + if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK) + return (0); + else + return (EPERM); + + /* * Conditionally allow jailed root to bind reserved ports. */ case PRIV_NETINET_RESERVEDPORT: @@ -3752,6 +3764,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may lock (unlock) physical pages in memory"); SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may bind sockets to reserved ports"); diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 4d234840ac08..ec1013cb0071 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -227,9 +227,10 @@ struct prison_racct { #define PR_ALLOW_MOUNT 0x00000010 #define PR_ALLOW_QUOTAS 0x00000020 #define PR_ALLOW_SOCKET_AF 0x00000040 +#define PR_ALLOW_MLOCK 0x00000080 #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ -#define PR_ALLOW_ALL_STATIC 0x0001807f +#define PR_ALLOW_ALL_STATIC 0x000180ff /* * OSD methods diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 54f6577edab5..2420733f37f3 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 20, 2018 +.Dd July 29, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -553,6 +553,16 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.mlock +Locking or unlocking physical pages in memory are normally not available +within a jail. +When this parameter is set, users may +.Xr mlock 2 +or +.Xr munlock 2 +memory subject to +.Va security.bsd.unprivileged_mlock +and resource limits. .It Va allow.reserved_ports The jail root may bind to ports lower than 1024. .El |