2 files changed, 21 insertions, 0 deletions

diff --git a/src/or/config.c b/src/or/config.c
index 5a0ced29d..b6a52a85d 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -195,6 +195,7 @@ static config_var_t _option_vars[] = {
   OBSOLETE("DirRecordUsageSaveInterval"),
   V(DirReqStatistics,            BOOL,     "0"),
   VAR("DirServer",               LINELIST, DirServers, NULL),
+  V(DisableAllSwap,              BOOL,     "0"),
   V(DNSPort,                     UINT,     "0"),
   V(DNSListenAddress,            LINELIST, NULL),
   V(DownloadExtraInfo,           BOOL,     "0"),
@@ -456,6 +457,8 @@ static config_var_description_t options_description[] = {
   { "DirServer", "Tor only trusts directories signed with one of these "
     "servers' keys.  Used to override the standard list of directory "
     "authorities." },
+  { "DisableAllSwap", "Tor will attempt a simple memory lock that "
+    "will prevent leaking of all information in memory to the swap file." },
   /* { "FastFirstHopPK", "" }, */
   /* FetchServerDescriptors, FetchHidServDescriptors,
    * FetchUselessDescriptors */
@@ -1115,6 +1118,15 @@ options_act_reversible(or_options_t *old_options, char **msg)
   }
 #endif
 
+  /* Attempt to lock all current and future memory with mlockall() only once */
+  if (options->DisableAllSwap) {
+    if (tor_mlockall() == -1) {
+      *msg = tor_strdup("DisableAllSwap failure. Do you have proper "
+                        "permissions?");
+      goto done;
+    }
+  }
+
   /* Setuid/setgid as appropriate */
   if (options->User) {
     if (switch_id(options->User) != 0) {
@@ -3834,6 +3846,12 @@ options_transition_allowed(or_options_t *old, or_options_t *new_val,
     return -1;
   }
 
+  if (old->DisableAllSwap != new_val->DisableAllSwap) {
+    *msg = tor_strdup("While Tor is running, changing DisableAllSwap "
+                      "is not allowed.");
+    return -1;
+  }
+
   return 0;
 }
 
diff --git a/src/or/or.h b/src/or/or.h
index bf415d839..767ad9572 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2287,6 +2287,9 @@ typedef struct {
                         * stop building circuits? */
   int StrictEntryNodes; /**< Boolean: When none of our EntryNodes are up, do we
                          * stop building circuits? */
+  int DisableAllSwap; /**< Boolean: Attempt to call mlockall() on our
+                               * process for all current and future memory. */
+
   routerset_t *ExcludeNodes;/**< Structure containing nicknames, digests,
                              * country codes and IP address patterns of ORs
                              * not to use in circuits. */