- Add sysctl to allow unprivileged users to call mlock(2)-family system

  calls and turn it on.
- Do not allow to call them inside jail. [1]

Pointed out by:	trasz [1]
Reviewed by:	avg
Approved by:	kib (mentor)
MFC after:	1 week

1 files changed, 18 insertions, 0 deletions

diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c
index fd3a95c..2f70c2b 100644
--- a/sys/kern/kern_priv.c
+++ b/sys/kern/kern_priv.c
@@ -59,6 +59,11 @@ SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
     &suser_enabled, 0, "processes with uid 0 have privilege");
 TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
 
+static int	unprivileged_mlock = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RW|CTLFLAG_TUN,
+    &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");
+TUNABLE_INT("security.bsd.unprivileged_mlock", &unprivileged_mlock);
+
 SDT_PROVIDER_DEFINE(priv);
 SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_ok, priv-ok, "int");
 SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv_err, priv-err, "int");
@@ -93,6 +98,19 @@ priv_check_cred(struct ucred *cred, int priv, int flags)
 	if (error)
 		goto out;
 
+	if (unprivileged_mlock) {
+		/*
+		 * Allow unprivileged users to call mlock(2)/munlock(2) and
+		 * mlockall(2)/munlockall(2).
+		 */
+		switch (priv) {
+			case PRIV_VM_MLOCK:
+			case PRIV_VM_MUNLOCK:
+				error = 0;
+				goto out;
+		}
+	}
+
 	/*
 	 * Having determined if privilege is restricted by various policies,
 	 * now determine if privilege is granted.  At this point, any policy