From 8a1904d7825f9897cd237fc6a1d8a57a9f2108de Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 25 Jan 2024 16:07:51 +1100 Subject: [PATCH] MDEV-33301 memlock with systemd still not working CapabilityBoundingSet included CAP_IPC_LOCK in MDEV-9095, however it requires that the executable has the capability marked in extended attributes also. The alternate to this is raising the RLIMIT_MEMLOCK for the service/ process to be able to complete the mlockall system call. This needs to be adjusted to whatever the MariaDB server was going to allocate. Rather than leave the non-obvious mapping of settings and tuning, add the capability so its easier for the user. We set the capability, if possible, but may never be used depending on user settings. As such in the Debian postinst script, don't complain if this fails. The CAP_IPC_LOCK also facilitates the mmaping of huge memory pages. (see man mmap), like mariadb uses with --large-pages. --- cmake/cpack_rpm.cmake | 1 + debian/mariadb-server-core-10.5.postinst | 26 +++++++++++++++++++ support-files/policy/apparmor/usr.sbin.mysqld | 1 + .../policy/selinux/mariadb-server.te | 4 ++- 4 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 debian/mariadb-server-core-10.5.postinst diff --git a/cmake/cpack_rpm.cmake b/cmake/cpack_rpm.cmake index 65a739dc03e..414b4f6a902 100644 --- a/cmake/cpack_rpm.cmake +++ b/cmake/cpack_rpm.cmake @@ -163,6 +163,7 @@ SET(CPACK_RPM_server_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*" "%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql" + "%caps(cap_ipc_lock=pe) %{_sbindir}/mysqld" ) SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf") SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*") diff --git a/debian/mariadb-server-core-10.5.postinst b/debian/mariadb-server-core-10.5.postinst new file mode 100644 index 00000000000..5f79bed2402 --- /dev/null +++ b/debian/mariadb-server-core-10.5.postinst @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +# inspired by iputils-ping +# +# cap_ipc_lock is required if a user wants to use --memlock +# and has insufficient RLIMIT_MEMLOCK (MDEV-33301) + +PROGRAM=$(dpkg-divert --truename /usr/sbin/mysqld) + +if [ "$1" = configure ]; then + # If we have setcap installed, try setting + # which allows us to install our binaries without the setuid + # bit. + if command -v setcap > /dev/null; then + if ! setcap cap_ipc_lock+ep "$PROGRAM"; then + echo "Setcap failed on $PROGRAM, required with --memlock if insufficent RLIMIT_MEMLOCK" >&2 + fi + fi +fi + + +#DEBHELPER# + +exit 0 diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld index c60ecd28531..732f4b3a97a 100644 --- a/support-files/policy/apparmor/usr.sbin.mysqld +++ b/support-files/policy/apparmor/usr.sbin.mysqld @@ -14,6 +14,7 @@ capability chown, capability dac_override, + capability ipc_lock, capability setgid, capability setuid, capability sys_rawio, diff --git a/support-files/policy/selinux/mariadb-server.te b/support-files/policy/selinux/mariadb-server.te index 89846063506..ba53c97d4a8 100644 --- a/support-files/policy/selinux/mariadb-server.te +++ b/support-files/policy/selinux/mariadb-server.te @@ -25,7 +25,7 @@ require { class lnk_file read; class process { getattr signull }; class unix_stream_socket connectto; - class capability { sys_resource sys_nice }; + class capability { ipc_lock sys_resource sys_nice }; class tcp_socket { name_bind name_connect }; class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink }; class sock_file { create unlink getattr }; @@ -87,6 +87,8 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl }; # MariaDB additions allow mysqld_t self:process setpgid; +allow mysqld_t self:capability { ipc_lock }; + # This rule allows port tcp/4444 allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; # This rule allows port tcp/4567 (tram_port_t may not be available on