[garloff@suse.de: [PATCH 1/1] default mlock limit 32k->64k]

[garloff@suse.de: [PATCH 1/1] default mlock limit 32k->64k]

[Kurt Garloff]

[-- Attachment #1: Type: text/plain, Size: 3208 bytes --]

Hi,

this patch does increase the default mlock()able memory from 32k to 64k
on PAGE_SIZE=4k systems. However, on systems with page sizes larger than
8k, the patch actually decreases the default down to 64k (or one page
in case that's larger).

Please speak up if you foresee problems on those platforms.
It would be simple to do 
#define MLOCK_LIMIT  ((PAGE_SIZE > 4096) ? 8*PAGE_SIZE : 64*1024)
in that case -- but doing min(64k,PAGE_SIZE) seems cleaner to me.

----- Forwarded message from Kurt Garloff <garloff@suse.de> -----

Date: Wed, 15 Oct 2008 11:27:36 +0200
From: Kurt Garloff <garloff@suse.de>
To: linux-kernel@vger.kernel.org
Cc: Nick Piggin <NPiggin@suse.de>
Subject: [PATCH 1/1] default mlock limit 32k->64k
X-Operating-System: Linux 2.6.25.16-0.1-default x86_64
X-PGP-Info: on http://www.garloff.de/kurt/mykeys.pgp
X-PGP-Key: 1024D/1C98774E
Organization: SUSE Linux Products GmbH (a Novell company), Nuernberg, GF:
	Markus Rex, HRB 16746 (AG Nuernberg)
User-Agent: Mutt/1.5.17 (2007-11-01)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

normal users can mlock memory up to the value defined in RLIMIT_MLOCK.
The number used to 0 for a long time and has been changed to 8 pages
(32k on 4k page systems) a number of years ago to accommodate the needs
of gpg, which is one of the few programs that a normal user runs and
which needs mlock (to prevent passphrase and key from leaking into
swap). 

Nowadays, we have gpg2, and the need has increased to 64k.
Attached patch does change the default to 64k, independent of the
PAGE_SIZE. (Unless PAGE_SIZE is larger than 64k, then we allow one
page.)

Please apply.
-- 
Kurt Garloff, VP Business Development -- OPS, Novell Inc.

From: Kurt Garloff <garloff@suse.de>
Subject: Increase default RLIMIT_MEMLOCK to 64k
References: bnc#329675
Patch-Mainline: no (should be submitted)

By default, non-privileged tasks can only mlock() a small amount of
memory to avoid a DoS attack by ordinary users. The Linux kernel
defaulted to 32k (on a 4k page size system) to accommodate the
needs of gpg.
However, newer gpg2 needs 64k in various circumstances and otherwise
fails miserably, see bnc#329675.

Change the default to 64k, and make it more agnostic to PAGE_SIZE.

Signed-off-by: Kurt Garloff <garloff@suse.de>
Signed-off-by: Nick Piggin <npiggin@suse.de>
---
Index: linux-2.6.27/include/linux/resource.h
===================================================================
--- linux-2.6.27.orig/include/linux/resource.h
+++ linux-2.6.27/include/linux/resource.h
@@ -59,10 +59,10 @@ struct rlimit {
 #define _STK_LIM	(8*1024*1024)
 
 /*
- * GPG wants 32kB of mlocked memory, to make sure pass phrases
+ * GPG2 wants 64kB of mlocked memory, to make sure pass phrases
  * and other sensitive information are never written to disk.
  */
-#define MLOCK_LIMIT	(8 * PAGE_SIZE)
+#define MLOCK_LIMIT	((PAGE_SIZE > 64*1024) ? PAGE_SIZE : 64*1024)
 
 /*
  * Due to binary compatibility, the actual resource numbers




----- End forwarded message -----

-- 
Kurt Garloff, VP Business Development -- OPS, Novell Inc.

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]

Re: [garloff@suse.de: [PATCH 1/1] default mlock limit 32k->64k]

[Andrew Morton]

On Thu, 16 Oct 2008 09:43:19 +0200
Kurt Garloff <garloff@suse.de> wrote:

> By default, non-privileged tasks can only mlock() a small amount of
> memory to avoid a DoS attack by ordinary users. The Linux kernel
> defaulted to 32k (on a 4k page size system) to accommodate the
> needs of gpg.
> However, newer gpg2 needs 64k in various circumstances and otherwise
> fails miserably, see bnc#329675.
> 
> Change the default to 64k, and make it more agnostic to PAGE_SIZE.
> 
> Signed-off-by: Kurt Garloff <garloff@suse.de>
> Signed-off-by: Nick Piggin <npiggin@suse.de>
> ---
> Index: linux-2.6.27/include/linux/resource.h
> ===================================================================
> --- linux-2.6.27.orig/include/linux/resource.h
> +++ linux-2.6.27/include/linux/resource.h
> @@ -59,10 +59,10 @@ struct rlimit {
>  #define _STK_LIM	(8*1024*1024)
>  
>  /*
> - * GPG wants 32kB of mlocked memory, to make sure pass phrases
> + * GPG2 wants 64kB of mlocked memory, to make sure pass phrases
>   * and other sensitive information are never written to disk.
>   */
> -#define MLOCK_LIMIT	(8 * PAGE_SIZE)
> +#define MLOCK_LIMIT	((PAGE_SIZE > 64*1024) ? PAGE_SIZE : 64*1024)

I dunno.  Is there really much point in chasing userspace changes like
this?

Worst case, we end up releasing distributions which work properly on
newer kernels and which fail to work properly on older kernels.

I suspect that it would be better to set the default to zero and
*force* userspace to correctly tune whatever-kernel-they're-running-on
to match their requirements.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [garloff@suse.de: [PATCH 1/1] default mlock limit 32k->64k]

[Nick Piggin]

On Thu, Oct 16, 2008 at 03:48:16PM -0700, Andrew Morton wrote:
> On Thu, 16 Oct 2008 09:43:19 +0200
> Kurt Garloff <garloff@suse.de> wrote:
> 
> > By default, non-privileged tasks can only mlock() a small amount of
> > memory to avoid a DoS attack by ordinary users. The Linux kernel
> > defaulted to 32k (on a 4k page size system) to accommodate the
> > needs of gpg.
> > However, newer gpg2 needs 64k in various circumstances and otherwise
> > fails miserably, see bnc#329675.
> > 
> > Change the default to 64k, and make it more agnostic to PAGE_SIZE.
> > 
> > Signed-off-by: Kurt Garloff <garloff@suse.de>
> > Signed-off-by: Nick Piggin <npiggin@suse.de>
> > ---
> > Index: linux-2.6.27/include/linux/resource.h
> > ===================================================================
> > --- linux-2.6.27.orig/include/linux/resource.h
> > +++ linux-2.6.27/include/linux/resource.h
> > @@ -59,10 +59,10 @@ struct rlimit {
> >  #define _STK_LIM	(8*1024*1024)
> >  
> >  /*
> > - * GPG wants 32kB of mlocked memory, to make sure pass phrases
> > + * GPG2 wants 64kB of mlocked memory, to make sure pass phrases
> >   * and other sensitive information are never written to disk.
> >   */
> > -#define MLOCK_LIMIT	(8 * PAGE_SIZE)
> > +#define MLOCK_LIMIT	((PAGE_SIZE > 64*1024) ? PAGE_SIZE : 64*1024)
> 
> I dunno.  Is there really much point in chasing userspace changes like
> this?

I think the default is *much* better. Not in terms of exact sizes, but
being consistent over all architectures, and not being ridiculously too
high on 64k page size kernels (which ia64 and powerpc are heading towards)


> Worst case, we end up releasing distributions which work properly on
> newer kernels and which fail to work properly on older kernels.
> 
> I suspect that it would be better to set the default to zero and
> *force* userspace to correctly tune whatever-kernel-they're-running-on
> to match their requirements.

Probably that would have been the best way to go, but changing that now
also means old distros may not work properly with new kernels (which is
probably worse than old kernels not working on new distros, because that
is inevitable anyway).

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [garloff@suse.de: [PATCH 1/1] default mlock limit 32k->64k]

[Kurt Garloff]

[-- Attachment #1: Type: text/plain, Size: 2242 bytes --]

Andrew,

On Thu, Oct 16, 2008 at 03:48:16PM -0700, Andrew Morton wrote:
> On Thu, 16 Oct 2008 09:43:19 +0200 Kurt Garloff <garloff@suse.de> wrote:
> > Index: linux-2.6.27/include/linux/resource.h
> > ===================================================================
> > --- linux-2.6.27.orig/include/linux/resource.h
> > +++ linux-2.6.27/include/linux/resource.h
> > @@ -59,10 +59,10 @@ struct rlimit {
> >  #define _STK_LIM	(8*1024*1024)
> >  
> >  /*
> > - * GPG wants 32kB of mlocked memory, to make sure pass phrases
> > + * GPG2 wants 64kB of mlocked memory, to make sure pass phrases
> >   * and other sensitive information are never written to disk.
> >   */
> > -#define MLOCK_LIMIT	(8 * PAGE_SIZE)
> > +#define MLOCK_LIMIT	((PAGE_SIZE > 64*1024) ? PAGE_SIZE : 64*1024)
> 
> I dunno.  Is there really much point in chasing userspace changes like
> this?

If there were many apps that would need it and that would have
contradicting or fast changing requirements, I would certainly
not wanna chase that.

We're lucky here that gpg/gpg2 is the only unprivileged user
of locked memory and that the requirement does not really change
often. We've had gpg1 with 32k need since 1999 and now gpg2 with
a 64k need.

Accommodating that seems like a pragmatic thing to do. Will ensure
good defaults for a broad set of users.

> Worst case, we end up releasing distributions which work properly on
> newer kernels and which fail to work properly on older kernels.

I know a number of users that run new kernels below old distributions
but few that do the opposite.
The failure mode in this specific case is not obscure at all, so I'm
not worried: 
can't lock memory: Cannot allocate memory
Warning: using insecure memory!

> I suspect that it would be better to set the default to zero and
> *force* userspace to correctly tune whatever-kernel-they're-running-on
> to match their requirements.

That's feasible, though I think distributions are not today
preconfigured to do that. Turning your argument around:
It would it a bit harder to run new kernels on old distros.
(Which I believe is worse -- we need testers!)

Best,
-- 
Kurt Garloff, VP Business Development -- OPS, Novell Inc.

[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]