[PATCH 1/1] default mlock limit 32k->64k

[Kurt Garloff]

Hi,

normal users can mlock memory up to the value defined in RLIMIT_MLOCK.
The number used to 0 for a long time and has been changed to 8 pages
(32k on 4k page systems) a number of years ago to accommodate the needs
of gpg, which is one of the few programs that a normal user runs and
which needs mlock (to prevent passphrase and key from leaking into
swap). 

Nowadays, we have gpg2, and the need has increased to 64k.
Attached patch does change the default to 64k, independent of the
PAGE_SIZE. (Unless PAGE_SIZE is larger than 64k, then we allow one
page.)

Please apply.
-- 
Kurt Garloff, VP Business Development -- OPS, Novell Inc.
From: Kurt Garloff <garloff@xxxxxxx>
Subject: Increase default RLIMIT_MEMLOCK to 64k
References: bnc#329675
Patch-Mainline: no (should be submitted)

By default, non-privileged tasks can only mlock() a small amount of
memory to avoid a DoS attack by ordinary users. The Linux kernel
defaulted to 32k (on a 4k page size system) to accommodate the
needs of gpg.
However, newer gpg2 needs 64k in various circumstances and otherwise
fails miserably, see bnc#329675.

Change the default to 64k, and make it more agnostic to PAGE_SIZE.

Signed-off-by: Kurt Garloff <garloff@xxxxxxx>
Signed-off-by: Nick Piggin <npiggin@xxxxxxx>
---
Index: linux-2.6.27/include/linux/resource.h
===================================================================
--- linux-2.6.27.orig/include/linux/resource.h
+++ linux-2.6.27/include/linux/resource.h
@@ -59,10 +59,10 @@ struct rlimit {
 #define _STK_LIM	(8*1024*1024)
 
 /*
- * GPG wants 32kB of mlocked memory, to make sure pass phrases
+ * GPG2 wants 64kB of mlocked memory, to make sure pass phrases
  * and other sensitive information are never written to disk.
  */
-#define MLOCK_LIMIT	(8 * PAGE_SIZE)
+#define MLOCK_LIMIT	((PAGE_SIZE > 64*1024) ? PAGE_SIZE : 64*1024)
 
 /*
  * Due to binary compatibility, the actual resource numbers

Attachment: pgp00000.pgp
Description: PGP signature