ALT Linux kernel packages development
 help / color / mirror / Atom feed
* [d-kernel] [kernel@kolivas: Re: [ck] Re: inheritance of priorities broken?]
@ 2006-06-13 20:22 Konstantin A. Lepikhov
  0 siblings, 0 replies; only message in thread
From: Konstantin A. Lepikhov @ 2006-06-13 20:22 UTC (permalink / raw)
  To: ALT Linux Kernel Devel Mailing List

[-- Attachment #1: Type: text/plain, Size: 4271 bytes --]

Думаю, есть смысл включить этот патч в altsecurity.

----- Forwarded message from Con Kolivas <kernel@kolivas> -----

Date: Wed, 7 Jun 2006 21:49:52 +1000
From: Con Kolivas <kernel@kolivas>
To: Thomas Sattler <tsattler@gmx>
Cc: ck@vds.kolivas
Subject: Re: [ck] Re: inheritance of priorities broken?

On Wednesday 07 June 2006 21:43, Thomas Sattler wrote:
> Hi again ...
>
> > Hmm maybe there is a need for the ability to set policies higher only
> > with capable_sys_nice (ie root only). I'll hack something together
> > soon for you to try if you wish.
>
> I'm interested.

schedtool -D -e yes > /dev/null

schedtool `/sbin/pidof yes`
PID  4255: PRIO   0, POLICY D: SCHED_IDLE  , NICE   0, AFFINITY 0x3

schedtool -N 4255

schedtool 4255
PID  4255: PRIO   0, POLICY N: SCHED_NORMAL, NICE   0, AFFINITY 0x3

(as root):
echo 1 > /proc/sys/kernel/restrict_policy_changes

schedtool -D 4255

schedtool 4255
PID  4255: PRIO   0, POLICY D: SCHED_IDLE  , NICE   0, AFFINITY 0x3

schedtool -N 4255
ERROR: could not set PID 4255 to N: SCHED_NORMAL - Operation not permitted

Patch for 2.6.17-rc6-ck1 attached.

-- 
-ck

Add a tunable /proc/sys/kernel/restrict_policy_changes which makes setting
policy to SCHED_ISO, BATCH and IDLEPRIO one way for unprivileged users. The
tunable is disabled by default.

Signed-off-by: Con Kolivas <kernel@kolivas>

---
 include/linux/sysctl.h |    1 +
 kernel/sched.c         |    8 ++++++++
 kernel/sysctl.c        |    9 +++++++++
 3 files changed, 18 insertions(+)

Index: linux-ck-dev/include/linux/sysctl.h
===================================================================
--- linux-ck-dev.orig/include/linux/sysctl.h	2006-06-06 18:14:32.000000000 +1000
+++ linux-ck-dev/include/linux/sysctl.h	2006-06-07 21:30:52.000000000 +1000
@@ -151,6 +151,7 @@ enum
 	KERN_INTERACTIVE=73,	/* interactive tasks can have cpu bursts */
 	KERN_COMPUTE=74,	/* adjust timeslices for a compute server */
 	KERN_ISO_CPU=75,	/* percent cpu SCHED_ISO tasks run SCHED_RR */
+	KERN_RESTRICT_POLICY=76, /* Make SCHED_BATCH, IDLEPRIO, ISO one way */
 };
 
 
Index: linux-ck-dev/kernel/sched.c
===================================================================
--- linux-ck-dev.orig/kernel/sched.c	2006-06-06 18:10:29.000000000 +1000
+++ linux-ck-dev/kernel/sched.c	2006-06-07 21:34:47.000000000 +1000
@@ -68,6 +68,7 @@
 int sched_interactive __read_mostly = 1;
 int sched_compute __read_mostly = 0;
 int sched_iso_cpu __read_mostly = 80;
+int sched_restrict_policy_changes;
 
 #define ISO_PERIOD		(5 * HZ)
 /*
@@ -3725,6 +3726,13 @@ recheck:
 		if ((current->euid != p->euid) &&
 		    (current->euid != p->uid))
 			return -EPERM;
+		/*
+		 * Policy changes to SCHED_ISO, IDLEPRIO and BATCH are one
+		 * way if sched_restrict_policy_changes is set.
+		 */
+		if (!SCHED_RT(policy) && p->policy != SCHED_NORMAL &&
+		    sched_restrict_policy_changes)
+			return -EPERM;
 	}
 
 	if (!(p->mm) && policy == SCHED_IDLEPRIO) {
Index: linux-ck-dev/kernel/sysctl.c
===================================================================
--- linux-ck-dev.orig/kernel/sysctl.c	2006-06-06 18:14:32.000000000 +1000
+++ linux-ck-dev/kernel/sysctl.c	2006-06-07 21:30:54.000000000 +1000
@@ -73,6 +73,7 @@ extern int printk_ratelimit_burst;
 extern int pid_max_min, pid_max_max;
 extern int sysctl_drop_caches;
 extern int percpu_pagelist_fraction;
+extern int sched_restrict_policy_changes;
 
 #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86)
 int unknown_nmi_panic;
@@ -656,6 +657,14 @@ static ctl_table kern_table[] = {
 		.extra1		= &zero,
 		.extra2		= &one_hundred,
 	},
+	{
+		.ctl_name	= KERN_RESTRICT_POLICY,
+		.procname	= "restrict_policy_changes",
+		.data		= &sched_restrict_policy_changes,
+		.maxlen		= sizeof (int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
 #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86)
 	{
 		.ctl_name       = KERN_UNKNOWN_NMI_PANIC,

_______________________________________________
http://ck.kolivas.org/faqs/replying-to-mailing-list.txt
ck mailing list - mailto: ck@vds.kolivas
http://vds.kolivas.org/mailman/listinfo/ck

----- End forwarded message -----

-- 
WBR et al.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2006-06-13 20:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-06-13 20:22 [d-kernel] [kernel@kolivas: Re: [ck] Re: inheritance of priorities broken?] Konstantin A. Lepikhov

ALT Linux kernel packages development

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
		devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
	public-inbox-index devel-kernel

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git