Merge GH #2084 Make it possible to configure macOS/iOS VM tag in mmap regions

1 files changed, 29 insertions, 8 deletions

diff --git a/src/lib/utils/os_utils.cpp b/src/lib/utils/os_utils.cpp
index daa5bb73f..843e68638 100644
--- a/src/lib/utils/os_utils.cpp
+++ b/src/lib/utils/os_utils.cpp
@@ -55,7 +55,35 @@
   extern "C" char **environ;
 #endif
 
+#if defined(BOTAN_TARGET_OS_IS_IOS) || defined(BOTAN_TARGET_OS_IS_MACOS)
+  #include <mach/vm_statistics.h>
+#endif
+
 namespace Botan {
+namespace {
+int get_locked_fd()
+   {
+#if defined(BOTAN_TARGET_OS_IS_IOS) || defined(BOTAN_TARGET_OS_IS_MACOS)
+// On Darwin, tagging anonymous pages allows vmmap to track these.
+// Allowed from 240 to 255 for userland applications, taken an hardcoded
+// value for now even though it can possibly intersect.
+   static constexpr int default_locked_fd = 255;
+   int locked_fd = default_locked_fd;
+
+   if (size_t locked_fdl = OS::read_env_variable_sz("BOTAN_LOCKED_FD", default_locked_fd))
+      {
+      if (locked_fdl < 240 || locked_fdl > 255)
+         {
+         locked_fdl = default_locked_fd;
+         }
+         locked_fd = static_cast<int>(locked_fdl);
+      }
+   return VM_MAKE_TAG(locked_fd);
+#else
+   return -1;
+#endif
+   }
+}
 
 // Not defined in OS namespace for historical reasons
 void secure_scrub_memory(void* ptr, size_t n)
@@ -430,14 +458,7 @@ std::vector<void*> OS::allocate_locked_pages(size_t count)
    #define PROT_MAX(p) 0
 #endif
       const int pflags = PROT_READ | PROT_WRITE;
-#if defined(BOTAN_TARGET_OS_IS_IOS) || defined(BOTAN_TARGET_OS_IS_MACOS)
-// On Darwin, tagging anonymous pages allows vmmap to track these.
-// Allowed from 240 to 255 for userland applications, taken an hardcoded
-// value for now even though it can possibly intersect.
-      const int locked_fd = (255<<24);
-#else
-      const int locked_fd = -1;
-#endif
+      static const int locked_fd = get_locked_fd();
 
       ptr = ::mmap(nullptr, 2*page_size,
                    pflags | PROT_MAX(pflags),