No RAM swapout to disk for "sandbox" run programs

No RAM swapout to disk for "sandbox" run programs

[james]

PGP uses, or did use, a (sloppy?) memory driver which prevented process
address space active in RAM from being swapped out to disk.

I have written Linus Torvalds talking about a range of PIDs, or a new field
in the task_struct, which would indicate to the mm in the kernel that
swapping this process' address space out to disk was forbidden.

A program can be launched from a shell that acts as a "sandbox" to run
programs that shouldn't be swapped to disk. All tasks forked from this
should be regarded as unswappable. This would be useful for encryption
programs, since PGP on WinNT at least was already doing it. I'm not sure how
GnuPG handles this at the moment.

Any thoughts anyone?

Also, I am wondering where I can get software that will allow me to look at
arbitrary memory ranges, the purpose being to look at "deleted" files on
Windows and Linux. Anybody know of any such software? Is there a kernel
module that allows this?

James Buchanan



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: No RAM swapout to disk for "sandbox" run programs

[Tom]

On Tue, Aug 28, 2001 at 09:34:10AM +1000, james@spunkysoftware.com wrote:
> I have written Linus Torvalds talking about a range of PIDs, or a new field
> in the task_struct, which would indicate to the mm in the kernel that
> swapping this process' address space out to disk was forbidden.

this strikes me as redundant because such a mechanism already exists.

> programs, since PGP on WinNT at least was already doing it. I'm not sure how
> GnuPG handles this at the moment.

GPG will use existing system calls to achieve exactly this effect. I
don't know the details by heart, but I did once. grab the gpg source
and take a look around.


> Also, I am wondering where I can get software that will allow me to look at
> arbitrary memory ranges, the purpose being to look at "deleted" files on
> Windows and Linux. Anybody know of any such software? Is there a kernel
> module that allows this?

/proc/mem is your friend. :)



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: No RAM swapout to disk for "sandbox" run programs

[Stephen Smalley]

On Tue, 28 Aug 2001 james@spunkysoftware.com wrote:

> PGP uses, or did use, a (sloppy?) memory driver which prevented process
> address space active in RAM from being swapped out to disk.
> 
> I have written Linus Torvalds talking about a range of PIDs, or a new field
> in the task_struct, which would indicate to the mm in the kernel that
> swapping this process' address space out to disk was forbidden.

This seems a bit off-topic for this mailing list.  Anyway, why can't you
use the mlock system call?

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.