From fd2dfd0b6aa2191ecedd2139d1674cc81bba8b0b Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Mon, 27 Jun 2022 17:03:06 +0200 Subject: [PATCH] TT#182450 systemd: allow LimitMEMLOCK usage for secure memory usage by libgcrypt Fixes: | Warning: using insecure memory! as triggered via libgcrypt, see https://sources.debian.org/src/libgcrypt20/1.10.1-2/src/secmem.c/?#L283 Let's use 8388608 AKA 8MB as default, as present in systemd versions 251 and newer, see commit: | commit 852b62507b22c0a986032a2c9fa9cc464a5b7bd2 | Author: Lennart Poettering | Date: Thu Mar 10 13:22:57 2022 +0100 | | pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M | | This mirrors a similar check in Linux kernel 5.16 | (9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the | RLIMIT_MEMLOCK to 8M. | | This change does two things: raise the default limit for nspawn | containers (where we try to mimic closely what the kernel does), and | bump it when running on old kernels which still have the lower setting. | | Fixes: #16300 | See: https://lwn.net/Articles/876288/ Change-Id: I56f6d173d316386501ce8b13cc7a8ad6bea4ed26 --- debian/ngcp-rtpengine-daemon.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/ngcp-rtpengine-daemon.service b/debian/ngcp-rtpengine-daemon.service index 99fc639ea..41f205b52 100644 --- a/debian/ngcp-rtpengine-daemon.service +++ b/debian/ngcp-rtpengine-daemon.service @@ -112,7 +112,8 @@ DevicePolicy=closed IPAddressAllow=any # Maximum number of bytes of memory that may be locked into RAM -LimitMEMLOCK=0 +# NOTE: required for libgcrypt's mlock handling +LimitMEMLOCK=8388608 # Restrict system calls that are allowed to be executed # NOTE: @system-service => reasonable set of system calls used by common system services