pipewire/src/modules/module-rt/20-pw-defaults.conf.in

# This file was installed by PipeWire project for buffer locking to always work

# Required to memlock audio buffers for all client types
#
# This will match all PAM users i.e. those going through the login procedure but
# it should not get applied to system daemons, since they are run bypassing PAM.
#
# While at first glance this might appear very relevant, in fact abusing this
# can at most allow for either more rapid OOM or enhance malicious system memory
# thrashing while evading systemd-oomd limits that are based on the requirement
# that swap utilization must be high before issues arise. As such it's perfectly
# reasonable to just set a limit where each client can lock a few megabytes with
# nearly no impact on regular systems. Meanwhile malicious attackers can OOM
# just as they could. And instead tooling for OOM and resource abuse should be
# improved, if such denial of service attacks are a serious consideration at all.
#
# Starting with Linux 5.16 or systemd v253 the default is 8192 which is plenty
# good enough and this file should not be installed on such systems.
#
*         - memlock @PAM_MEMLOCK@
RLIMITs: add support for generating limits.d files This commit implements generating /etc/security/limits.d/20-pw-defaults.conf and /etc/security/limits.d/25-pw-rlimits.conf files. The numbering is arbitrary and may very well warrant being in the reverse order, however `man 5 limits.conf` does not appear to specify the parsing order or even say exactly how multiples matches will resolve, so the value can be adjusted later, if required. The actual limit values, the match rule and even whether each file is to be installed can be changed via the build system before compilation. Likewise the files can be modified or (re)moved during distro package building phase. The 20-pw-defaults.conf should only be installed on legacy systems lacking both a modern kernel and up to date systemd, because all it does is set the current Linux default. Accordingly its not installed by default. Signed-off-by: Niklāvs Koļesņikovs <89q1r14hd@relay.firefox.com> 2023-02-07 00:26:03 +02:00			`# This file was installed by PipeWire project for buffer locking to always work`

			`# Required to memlock audio buffers for all client types`
			`#`
			`# This will match all PAM users i.e. those going through the login procedure but`
			`# it should not get applied to system daemons, since they are run bypassing PAM.`
			`#`
			`# While at first glance this might appear very relevant, in fact abusing this`
			`# can at most allow for either more rapid OOM or enhance malicious system memory`
			`# thrashing while evading systemd-oomd limits that are based on the requirement`
			`# that swap utilization must be high before issues arise. As such it's perfectly`
			`# reasonable to just set a limit where each client can lock a few megabytes with`
			`# nearly no impact on regular systems. Meanwhile malicious attackers can OOM`
			`# just as they could. And instead tooling for OOM and resource abuse should be`
			`# improved, if such denial of service attacks are a serious consideration at all.`
			`#`
			`# Starting with Linux 5.16 or systemd v253 the default is 8192 which is plenty`
			`# good enough and this file should not be installed on such systems.`
			`#`
			`* - memlock @PAM_MEMLOCK@`