Re: [patch 11/54] mm: introduce memfd_secret system call to create "secret" memory areas

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 07, 2021 at 08:13:10PM -0700, Linus Torvalds wrote:
> On Wed, Jul 7, 2021 at 6:08 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > From: Mike Rapoport <rppt@xxxxxxxxxxxxx>
> > Subject: mm: introduce memfd_secret system call to create "secret" memory areas
> >
> > Introduce "memfd_secret" system call with the ability to create memory
> > areas visible only in the context of the owning process and not mapped not
> > only to other processes but in the kernel page tables as well.
> 
> Am I missing something?
> 
> From what I can't tell, this must not be enabled for regular users,
> because the secret mapping is effectively mlock'ed into the address
> space.
> 
> But there does not seem to be any permission checks or any limits, so
> this looks like a trivial way for a bad user to force the kernel to
> run out of memory.

This feature is off by default and should be explicitly enabled by a system
administrator. 
When it is enabled, a user cannot exceed RLIMIT_MEMLOCK.
 
-- 
Sincerely yours,
Mike.



[Index of Archives]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux