mlock(2) in jails

Hi,

since various applications want to do that, often fail/coredump not being able to I wonder whether there is a way to allow mlock in jail. I am getting a permission denied there.

I am using FreeBSD 10.3 on the target machine and ezjail.
 
I doubt that this is going to work. There are simply some things which will always be unavailable for a jail, simply because it's a restricted environment per definition. Comparable to routing tables and such, those are areas on the host which the jail can never access.
 
It looks like this discussion already came up, so I wonder whether the patch has been considered yet:

https://lists.freebsd.org/pipermail/freebsd-current/2017-February/064711.html

Sadly the mailing list thread stopped, so maybe someone knows a non-manual patch or whether this made in some kind of other project.

I understand what jails are, but later in this discussion it was pointed out that rctl probably offers a way to get the benefits from this particular restriction, so it would make sense to provide an option. It would also greatly benefit the use case of database style applications inside jails. A lot of NoSQLish software seems to try to want that and while I personally think that's a really weird thing to require and that people are mostly wrong about the benefits in a sane environment, I am all for allowing these use cases especially cause jails are nice if you have software that you don't fully trust or agree with.
 
I understand what jails are, but later in this discussion it was pointed out that rctl probably offers a way to get the benefits from this particular restriction, so it would make sense to provide an option.
Thanks for sharing that link.

I'm not too sure myself though. There's also security to be kept in mind. Having the option to turn something like that on and off is cool and all, but sometimes certain restrictions can be bypassed once they've been made accessible.

Either way, since they're talking about CURRENT my guess is that even if this option finds it's way into the system itself then it'll be a while before it'll be put out into production releases.
 
Back
Top