MDEV-33301 memlock with systemd still not working

grooverdan · grooverdan · commit 8a1904d7825f · 2024-02-15T12:58:13.000+11:00
CapabilityBoundingSet included CAP_IPC_LOCK in MDEV-9095, however
it requires that the executable has the capability marked in extended
attributes also.

The alternate to this is raising the RLIMIT_MEMLOCK for the service/
process to be able to complete the mlockall system call. This needs to
be adjusted to whatever the MariaDB server was going to allocate.
Rather than leave the non-obvious mapping of settings and tuning,
add the capability so its easier for the user.

We set the capability, if possible, but may never be used depending
on user settings. As such in the Debian postinst script, don't
complain if this fails.

The CAP_IPC_LOCK also facilitates the mmaping of huge memory pages.
(see man mmap), like mariadb uses with --large-pages.
diff --git a/cmake/cpack_rpm.cmake b/cmake/cpack_rpm.cmake
@@ -163,6 +163,7 @@ SET(CPACK_RPM_server_USER_FILELIST
     ${ignored}
     "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*"
     "%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql"
+    "%caps(cap_ipc_lock=pe) %{_sbindir}/mysqld"
     )
 SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf")
 SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")
diff --git a/debian/mariadb-server-core-10.5.postinst b/debian/mariadb-server-core-10.5.postinst
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+
+# inspired by iputils-ping
+#
+# cap_ipc_lock is required if a user wants to use --memlock
+# and has insufficient RLIMIT_MEMLOCK (MDEV-33301)
+
+PROGRAM=$(dpkg-divert --truename /usr/sbin/mysqld)
+
+if [ "$1" = configure ]; then
+  # If we have setcap installed, try setting
+  # which allows us to install our binaries without the setuid
+  # bit.
+  if command -v setcap > /dev/null; then
+    if ! setcap cap_ipc_lock+ep "$PROGRAM"; then
+      echo "Setcap failed on $PROGRAM, required with --memlock if insufficent RLIMIT_MEMLOCK" >&2
+    fi
+  fi
+fi
+
+
+#DEBHELPER#
+
+exit 0
diff --git a/support-files/policy/apparmor/usr.sbin.mysqld b/support-files/policy/apparmor/usr.sbin.mysqld
@@ -14,6 +14,7 @@
 
   capability chown,
   capability dac_override,
+  capability ipc_lock,
   capability setgid,
   capability setuid,
   capability sys_rawio,
diff --git a/support-files/policy/selinux/mariadb-server.te b/support-files/policy/selinux/mariadb-server.te
@@ -25,7 +25,7 @@ require {
 	class lnk_file read;
 	class process { getattr signull };
 	class unix_stream_socket connectto;
-	class capability { sys_resource sys_nice };
+	class capability { ipc_lock sys_resource sys_nice };
 	class tcp_socket { name_bind name_connect };
 	class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
 	class sock_file { create unlink getattr };
@@ -87,6 +87,8 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
 
 # MariaDB additions
 allow mysqld_t self:process setpgid;
+allow mysqld_t self:capability { ipc_lock };
+
 # This rule allows port tcp/4444
 allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
 # This rule allows port tcp/4567 (tram_port_t may not be available on

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,7 @@ SET(CPACK_RPM_server_USER_FILELIST`
`163`	`163`	`${ignored}`
`164`	`164`	`"%config(noreplace) ${INSTALL_SYSCONF2DIR}/*"`
`165`	`165`	`"%config(noreplace) ${INSTALL_SYSCONFDIR}/logrotate.d/mysql"`
	`166`	`+ "%caps(cap_ipc_lock=pe) %{_sbindir}/mysqld"`
`166`	`167`	`)`
`167`	`168`	`SET(CPACK_RPM_common_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONFDIR}/my.cnf")`
`168`	`169`	`SET(CPACK_RPM_shared_USER_FILELIST ${ignored} "%config(noreplace) ${INSTALL_SYSCONF2DIR}/*")`