I took some time to consider a few options... 1. MLOCK_ZERO_ON_FREE flag for mlock2: This would achieve what I was looking for. On the other hand, this feature could not be used to just ensure the memory is zeroed before reallocation, without locking it to memory. So if you just want a few regions to be protected from other processes, this would not be ideal. Also the VM_* flags are all used otherwise (except for a random hole in the middle). 2. PR_INIT_ON_FREE option for prctl + some cap against DoS: This could, more generally, be used to "replace" other ways of choosing initialization behavior. Systems could run with zeroing in general disabled to improve performance and just use this feature whenever needed. However, it seems counterintuitive to me to have a prctl option to set properties of a range of memory. Is there a system call to set general properties of memory areas? 3. CONFIG_MLOCK_INIT_ON_FREE: Such a config could be used as an alternative to init_on_free (or its DEFAULT_ON config) and would be limited to the much smaller amount of mlocked memory. Again, this could not be used if you didn't want to lock the pages to memory, but would definitely be one of the easiest ways to avoid most of the init_on_free overhead with essentially the same security. 4. PR_INIT_MLOCKED_ON_FREE option for prctl: This would essentially be option 3. but even further limited to only the processes that want it and cannot ensure keys are zeroed before an exit/crash. This prctl option would take no further options except an enable/disable switch. It could be called once, in the beginning, to enable the feature. If the process then crashes, any mlocked memory is cleared and does not make its way to another process. After any key material has been erased, the program could call prctl again to disable the feature so no clearing is done when the process exits. Currently #1, #3 and #4 sound most applicable to me. Options #3 and #4 are probably a lot cleaner to implement, #1 and #4 should be more performant. From your experience, how often would someone want to seriously prevent memory from getting to another process without the option to mlock it? Is there any arguments I am missing? What's your opinion on these? Which, if any, do you think would work best?
