From: Andrea Arcangeli <andrea@suse.de>
To: Andrew Morton <akpm@osdl.org>
Cc: William Lee Irwin III <wli@holomorphy.com>,
linux-kernel@vger.kernel.org, kenneth.w.chen@intel.com
Subject: Re: disable-cap-mlock
Date: Thu, 1 Apr 2004 20:49:54 +0200 [thread overview]
Message-ID: <20040401184954.GW18585@dualathlon.random> (raw)
In-Reply-To: <20040401103425.03ba8aff.akpm@osdl.org>
On Thu, Apr 01, 2004 at 10:34:25AM -0800, Andrew Morton wrote:
> William Lee Irwin III <wli@holomorphy.com> wrote:
> >
> > On Thu, Apr 01, 2004 at 08:48:25AM -0800, William Lee Irwin III wrote:
> > >> Something like this would have the minor advantage of zero core impact.
> > >> Testbooted only. vs. 2.6.5-rc3-mm4
> >
> > On Thu, Apr 01, 2004 at 06:59:52PM +0200, Andrea Arcangeli wrote:
> > > I certainly like this too (despite it's more complicated but it might
> > > avoid us to have to add further sysctl in the future), Andrew what do
> > > you prefer to merge? I don't mind either ways.
>
> What is the Oracle requirement in detail?
being able to shmget(SHM_HUGETLB) as normal user. However I cannot
disable the CAP_IPC_LOCK from hugetlbfs/inode.c since that would break
local security w.r.t. mlock.
If I've to disable that single check in hugetlbfs/inode.c then I prefer
to disable all CAP_IPC_LOCK so they can as well use mlock.
> If it's for access to hugetlbfs then there are the uid= and gid= mount
> options.
sure we know, that's not the problem, disabling mlock checks is easy
with hugetlbfs marking the mountpoint 777.
> If it's for access to SHM_HUGETLB then there was some discussion about
> extending the uid= thing to shm, but nothing happened. This could be
> resurrected.
never heard of those discussions sorry, though I'm not completely sure
that one single uid would work, a 777 ownership would certain work
instead, but how to give 777 ownership to not an fs. I mean, the sysctl
is an order of magnitude simpler and it covers the mlock and
shmclt(SHM_LOCK/UNLOCK) usages as well that cannot be covered by rlimit
either.
>
> If it's just generally for the ability to mlock lots of memory then
> RLIMIT_MEMLOCK would be preferable. I don't see why we'd need the sysctl
> when `ulimit -m' is available? (Where is that patch btw?)
the real reason is shmget(SHM_HUGETLB) but if I disable that
specific CAP_IPC_LOCK I can disable them all, and then nobody will have
to use rlimit anymore for this.
Also consider the same user can shmget multiple segments and that can
exceed the 4G limit of rlimit, since that's not address space but
physical memory (either ram or swap).
> I guess we could live with sysctl which simply nukes CAP_IPC_LOCK, but it
> has to be the when-all-else-failed option, yes?
Probably the main advantage is that it doesn't giveup all righs to the
user with fsuid == 0, it only gives it mlock. Though I can imagine some
user may not like to giveup mlock to fsuid == 0 either, so even that may
need to be a config option, but OTOH overcommit and other vm bits (again
stuff that can't be used to do real bad stuff) are already available to
fsuid == 0. So I think the sysctl-cap-mlock is reasonable feature at
least until there's a more finegriend way to give the
shmget(SHM_HUGETLB)/shmctl(SHM_LOCK/UNLOCK) rights.
next prev parent reply other threads:[~2004-04-01 18:50 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-01 13:59 disable-cap-mlock Andrea Arcangeli
2004-04-01 14:12 ` disable-cap-mlock Martin Zwickel
2004-04-01 16:48 ` disable-cap-mlock William Lee Irwin III
2004-04-01 16:59 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:11 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:16 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:34 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:38 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:42 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:37 ` disable-cap-mlock Stephen Smalley
2004-04-01 17:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:51 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:12 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:52 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:54 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:47 ` disable-cap-mlock Stephen Smalley
2004-04-01 19:26 ` disable-cap-mlock William Lee Irwin III
2004-04-01 20:23 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 21:13 ` disable-cap-mlock William Lee Irwin III
2004-04-01 21:31 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 18:34 ` disable-cap-mlock Andrew Morton
2004-04-01 18:49 ` Andrea Arcangeli [this message]
2004-04-01 18:52 ` disable-cap-mlock Chen, Kenneth W
2004-04-01 18:59 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:27 ` disable-cap-mlock James Morris
2004-04-02 10:39 ` disable-cap-mlock Pavel Machek
2004-04-02 23:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:44 ` disable-cap-mlock Rik van Riel
2004-04-01 19:52 ` disable-cap-mlock Andrew Morton
2004-04-01 22:36 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 22:43 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 23:08 ` disable-cap-mlock Rik van Riel
2004-04-01 23:26 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 0:59 ` disable-cap-mlock Chris Wright
2004-04-01 22:29 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:07 ` disable-cap-mlock Chris Wright
2004-04-02 1:18 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:30 ` disable-cap-mlock Chris Wright
2004-04-02 1:35 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:04 ` disable-cap-mlock Chris Wright
2004-04-02 2:13 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:21 ` disable-cap-mlock Chris Wright
2004-04-02 2:38 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:48 ` disable-cap-mlock Chris Wright
2004-04-02 1:30 ` disable-cap-mlock Andrew Morton
2004-04-02 1:59 ` disable-cap-mlock Chris Wright
2004-04-02 2:09 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:30 ` disable-cap-mlock Andrew Morton
2004-04-02 2:33 ` disable-cap-mlock Chris Wright
2004-04-02 2:45 ` disable-cap-mlock Andrew Morton
2004-04-02 2:51 ` disable-cap-mlock Chris Wright
2004-04-02 3:21 ` disable-cap-mlock William Lee Irwin III
2004-04-02 2:41 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:49 ` disable-cap-mlock Andrew Morton
2004-04-02 3:07 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 21:35 ` disable-cap-mlock Andrew Morton
2004-04-02 22:36 ` disable-cap-mlock Chris Wright
2004-04-02 22:56 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 23:01 ` disable-cap-mlock Andrew Morton
2004-04-02 23:18 ` disable-cap-mlock Chris Wright
2004-04-05 12:13 ` disable-cap-mlock Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040401184954.GW18585@dualathlon.random \
--to=andrea@suse.de \
--cc=akpm@osdl.org \
--cc=kenneth.w.chen@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=wli@holomorphy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox