From c51611c27f766bb4f413485bf8a12bca02e98669 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Sun, 18 Jan 2026 14:35:50 +0100
Subject: lib: Call mlock() on the shared memory buffers

This prevents them from swapping to disk and killing performance. It
also enhances security a little bit by reducing the risk of sensitive
(even encrypted) data being paged out and captured.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/main.c     | 3 +++
 src/irmd/reg/flow.c | 6 ++++++
 2 files changed, 9 insertions(+)

(limited to 'src/irmd')

diff --git a/src/irmd/main.c b/src/irmd/main.c
index 57703254..8a2c143d 100644
--- a/src/irmd/main.c
+++ b/src/irmd/main.c
@@ -1905,6 +1905,9 @@ static int irm_init(void)
                 goto fail_rdrbuff;
         }
 
+        if (shm_rdrbuff_mlock(irmd.rdrb) < 0)
+                log_warn("Failed to mlock rdrbuff.");
+
         irmd.tpm = tpm_create(IRMD_MIN_THREADS, IRMD_ADD_THREADS,
                               mainloop, NULL);
         if (irmd.tpm == NULL) {
diff --git a/src/irmd/reg/flow.c b/src/irmd/reg/flow.c
index 4d091b23..d6f6437f 100644
--- a/src/irmd/reg/flow.c
+++ b/src/irmd/reg/flow.c
@@ -107,6 +107,9 @@ static int create_rbuffs(struct reg_flow *  flow,
         if (flow->n_rb == NULL)
                 goto fail_n_rb;
 
+        if (shm_rbuff_mlock(flow->n_rb) < 0)
+                log_warn("Failed to mlock n_rb for flow %d.", info->id);
+
         assert(flow->info.n_1_pid == 0);
         assert(flow->n_1_rb == NULL);
 
@@ -115,6 +118,9 @@ static int create_rbuffs(struct reg_flow *  flow,
         if (flow->n_1_rb == NULL)
                 goto fail_n_1_rb;
 
+        if (shm_rbuff_mlock(flow->n_1_rb) < 0)
+                log_warn("Failed to mlock n_1_rb for flow %d.", info->id);
+
         return 0;
 
  fail_n_1_rb:
-- 
cgit v1.2.3