diff options
author | zont <zont@FreeBSD.org> | 2012-12-18 07:36:45 +0000 |
---|---|---|
committer | zont <zont@FreeBSD.org> | 2012-12-18 07:36:45 +0000 |
commit | 4aec412732f622b34aba76580090c6adbd334a3d (patch) | |
tree | 28108c6204f836041b6479639161c505bb34277c /sys/kern/kern_priv.c | |
parent | 15b694913ef06df0bf1f20342bd94b3712f7165d (diff) | |
download | FreeBSD-src-4aec412732f622b34aba76580090c6adbd334a3d.zip FreeBSD-src-4aec412732f622b34aba76580090c6adbd334a3d.tar.gz |
- Add sysctl to allow unprivileged users to call mlock(2)-family system
calls and turn it on.
- Do not allow to call them inside jail. [1]
Pointed out by: trasz [1]
Reviewed by: avg
Approved by: kib (mentor)
MFC after: 1 week
Diffstat (limited to 'sys/kern/kern_priv.c')
-rw-r--r-- | sys/kern/kern_priv.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index fd3a95c..2f70c2b 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -59,6 +59,11 @@ SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, &suser_enabled, 0, "processes with uid 0 have privilege"); TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); +static int unprivileged_mlock = 1; +SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RW|CTLFLAG_TUN, + &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)"); +TUNABLE_INT("security.bsd.unprivileged_mlock", &unprivileged_mlock); + SDT_PROVIDER_DEFINE(priv); SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_ok, priv-ok, "int"); SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_err, priv-err, "int"); @@ -93,6 +98,19 @@ priv_check_cred(struct ucred *cred, int priv, int flags) if (error) goto out; + if (unprivileged_mlock) { + /* + * Allow unprivileged users to call mlock(2)/munlock(2) and + * mlockall(2)/munlockall(2). + */ + switch (priv) { + case PRIV_VM_MLOCK: + case PRIV_VM_MUNLOCK: + error = 0; + goto out; + } + } + /* * Having determined if privilege is restricted by various policies, * now determine if privilege is granted. At this point, any policy |