Re: shmget with SHM_HUGETLB flag: Operation not permitted

[Chris Wright]

* Jochen Roemling (jochen@xxxxxxxxxxxx) wrote:
> Chris Wright wrote:
> > In case that part wasn't clear, it would be CAP_IPC_LOCK capability.
> > 
> Thanks. Capset was the keyword I couldn't remember.
> 
> _Background:_
> I would like to install Oracle 10g Database on Linux with HUGETLB 
> support. The oracle binary exits with -EPERM because it is not allowed 
> to create a shared memory segment with the SHM_HUGETLB flag set.

OK, as expected.

> I installed the libcap2 package (from debian testing) and now have the 
> tool "setcap" available. I wanted to test this on my example pgm 
> mentioned in the original post using:
> 
> roesrv01~ # setcap CAP_IPC_LOCK a.out
> fatal error: Invalid argument
> usage: setcap [-q] (-|<caps>) <filename> [ ... (-|<capsN>) <filenameN> ]
> 
> using the number "14" instead of the name "CAP_IPC_LOCK" doesn't work 
> either. I don't have any glue. Do have a simple example for me?

did you try setpcaps?  smth like setpcaps cap_ipc_lock+e <pid>

> By the way: CAP_IPC_LOCK is only checked in line 508 of ipc/shm.c:
<snip>
>                  if (!capable(CAP_IPC_LOCK)) {
>                          err = -EPERM;
>                          goto out;
>                  }
> 
> There is nothing around that says: "Allow this only without HUGETLB".
> Are you sure that this capability is my problem?

Yes, take a look at fs/hugetlbfs/inode.c::hugetlb_zero_setup()

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/