1 files changed, 31 insertions, 2 deletions

diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
index 6eb7ed75..0d775de2 100644
--- a/daemon/gkd-capability.c
+++ b/daemon/gkd-capability.c
@@ -30,6 +30,8 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/resource.h>
+#include <sys/time.h>
 
 #ifdef HAVE_LIBCAPNG
 
@@ -49,6 +51,33 @@ early_warning (const char *warn_string)
 		fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string);
 }
 
+/* This is arbitrary. Empirically, 256K seems to be enough. */
+#define ENOUGH_LOCKED_MEMORY_BYTES (256 * 1024)
+
+static void
+check_memlock (const char *message_if_not)
+{
+	struct rlimit rlim = {};
+
+	if (getrlimit (RLIMIT_MEMLOCK, &rlim) == 0) {
+		if (rlim.rlim_cur == RLIM_INFINITY ||
+		    rlim.rlim_cur >= ENOUGH_LOCKED_MEMORY_BYTES) {
+			/* this seems like enough, no need for a warning */
+			return;
+		}
+
+		rlim.rlim_cur = rlim.rlim_max;
+
+		if ((rlim.rlim_cur == RLIM_INFINITY ||
+		     rlim.rlim_cur >= ENOUGH_LOCKED_MEMORY_BYTES) &&
+		    setrlimit (RLIMIT_MEMLOCK, &rlim) == 0) {
+			return;
+		}
+	}
+
+	early_warning (message_if_not);
+}
+
 #endif /* HAVE_LIPCAPNG */
 
 /*
@@ -87,13 +116,13 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
 			early_error ("error getting process capabilities", 0);
 			break;
 		case CAPNG_NONE:
-			early_warning ("no process capabilities, insecure memory might get used");
+			check_memlock ("no process capabilities, insecure memory might get used");
 			break;
 		case CAPNG_PARTIAL: { /* File system based capabilities */
 			capng_select_t set = CAPNG_SELECT_CAPS;
 			if (!capng_have_capability (CAPNG_EFFECTIVE,
 							    CAP_IPC_LOCK)) {
-				early_warning ("insufficient process capabilities, insecure memory might get used");
+				check_memlock ("insufficient process capabilities, insecure memory might get used");
 			}
 
 			/* If we don't have CAP_SETPCAP, we can't update the