Думаю, есть смысл включить этот патч в altsecurity. ----- Forwarded message from Con Kolivas ----- Date: Wed, 7 Jun 2006 21:49:52 +1000 From: Con Kolivas To: Thomas Sattler Cc: ck@vds.kolivas Subject: Re: [ck] Re: inheritance of priorities broken? On Wednesday 07 June 2006 21:43, Thomas Sattler wrote: > Hi again ... > > > Hmm maybe there is a need for the ability to set policies higher only > > with capable_sys_nice (ie root only). I'll hack something together > > soon for you to try if you wish. > > I'm interested. schedtool -D -e yes > /dev/null schedtool `/sbin/pidof yes` PID 4255: PRIO 0, POLICY D: SCHED_IDLE , NICE 0, AFFINITY 0x3 schedtool -N 4255 schedtool 4255 PID 4255: PRIO 0, POLICY N: SCHED_NORMAL, NICE 0, AFFINITY 0x3 (as root): echo 1 > /proc/sys/kernel/restrict_policy_changes schedtool -D 4255 schedtool 4255 PID 4255: PRIO 0, POLICY D: SCHED_IDLE , NICE 0, AFFINITY 0x3 schedtool -N 4255 ERROR: could not set PID 4255 to N: SCHED_NORMAL - Operation not permitted Patch for 2.6.17-rc6-ck1 attached. -- -ck Add a tunable /proc/sys/kernel/restrict_policy_changes which makes setting policy to SCHED_ISO, BATCH and IDLEPRIO one way for unprivileged users. The tunable is disabled by default. Signed-off-by: Con Kolivas --- include/linux/sysctl.h | 1 + kernel/sched.c | 8 ++++++++ kernel/sysctl.c | 9 +++++++++ 3 files changed, 18 insertions(+) Index: linux-ck-dev/include/linux/sysctl.h =================================================================== --- linux-ck-dev.orig/include/linux/sysctl.h 2006-06-06 18:14:32.000000000 +1000 +++ linux-ck-dev/include/linux/sysctl.h 2006-06-07 21:30:52.000000000 +1000 @@ -151,6 +151,7 @@ enum KERN_INTERACTIVE=73, /* interactive tasks can have cpu bursts */ KERN_COMPUTE=74, /* adjust timeslices for a compute server */ KERN_ISO_CPU=75, /* percent cpu SCHED_ISO tasks run SCHED_RR */ + KERN_RESTRICT_POLICY=76, /* Make SCHED_BATCH, IDLEPRIO, ISO one way */ }; Index: linux-ck-dev/kernel/sched.c =================================================================== --- linux-ck-dev.orig/kernel/sched.c 2006-06-06 18:10:29.000000000 +1000 +++ linux-ck-dev/kernel/sched.c 2006-06-07 21:34:47.000000000 +1000 @@ -68,6 +68,7 @@ int sched_interactive __read_mostly = 1; int sched_compute __read_mostly = 0; int sched_iso_cpu __read_mostly = 80; +int sched_restrict_policy_changes; #define ISO_PERIOD (5 * HZ) /* @@ -3725,6 +3726,13 @@ recheck: if ((current->euid != p->euid) && (current->euid != p->uid)) return -EPERM; + /* + * Policy changes to SCHED_ISO, IDLEPRIO and BATCH are one + * way if sched_restrict_policy_changes is set. + */ + if (!SCHED_RT(policy) && p->policy != SCHED_NORMAL && + sched_restrict_policy_changes) + return -EPERM; } if (!(p->mm) && policy == SCHED_IDLEPRIO) { Index: linux-ck-dev/kernel/sysctl.c =================================================================== --- linux-ck-dev.orig/kernel/sysctl.c 2006-06-06 18:14:32.000000000 +1000 +++ linux-ck-dev/kernel/sysctl.c 2006-06-07 21:30:54.000000000 +1000 @@ -73,6 +73,7 @@ extern int printk_ratelimit_burst; extern int pid_max_min, pid_max_max; extern int sysctl_drop_caches; extern int percpu_pagelist_fraction; +extern int sched_restrict_policy_changes; #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86) int unknown_nmi_panic; @@ -656,6 +657,14 @@ static ctl_table kern_table[] = { .extra1 = &zero, .extra2 = &one_hundred, }, + { + .ctl_name = KERN_RESTRICT_POLICY, + .procname = "restrict_policy_changes", + .data = &sched_restrict_policy_changes, + .maxlen = sizeof (int), + .mode = 0644, + .proc_handler = &proc_dointvec, + }, #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86) { .ctl_name = KERN_UNKNOWN_NMI_PANIC, _______________________________________________ http://ck.kolivas.org/faqs/replying-to-mailing-list.txt ck mailing list - mailto: ck@vds.kolivas http://vds.kolivas.org/mailman/listinfo/ck ----- End forwarded message ----- -- WBR et al.