TT#182450 systemd: allow LimitMEMLOCK usage for secure memory usage by libgcrypt

Fixes: | Warning: using insecure memory! as triggered via libgcrypt, see https://sources.debian.org/src/libgcrypt20/1.10.1-2/src/secmem.c/?#L283 Let's use 8388608 AKA 8MB as default, as present in systemd versions 251 and newer, see commit: | commit 852b62507b22c0a986032a2c9fa9cc464a5b7bd2 | Author: Lennart Poettering <lennart@poettering.net> | Date: Thu Mar 10 13:22:57 2022 +0100 | | pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M | | This mirrors a similar check in Linux kernel 5.16 | (9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the | RLIMIT_MEMLOCK to 8M. | | This change does two things: raise the default limit for nspawn | containers (where we try to mimic closely what the kernel does), and | bump it when running on old kernels which still have the lower setting. | | Fixes: #16300 | See: https://lwn.net/Articles/876288/ Change-Id: I56f6d173d316386501ce8b13cc7a8ad6bea4ed26
3 years ago · fd2dfd0b6a
parent 26bf2b05a5
commit fd2dfd0b6a
1 changed files with 2 additions and 1 deletions
--- a/debian/ngcp-rtpengine-daemon.service
+++ b/debian/ngcp-rtpengine-daemon.service
@ -112,7 +112,8 @@ DevicePolicy=closed
 IPAddressAllow=any

 # Maximum number of bytes of memory that may be locked into RAM
-LimitMEMLOCK=0
+# NOTE: required for libgcrypt's mlock handling
+LimitMEMLOCK=8388608

 # Restrict system calls that are allowed to be executed
 # NOTE: @system-service => reasonable set of system calls used by common system services