From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 14 Jun 2006 00:22:26 +0400 From: "Konstantin A. Lepikhov" To: ALT Linux Kernel Devel Mailing List Message-ID: <20060613202226.GA19998@lks.home> Mail-Followup-To: ALT Linux Kernel Devel Mailing List Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline X-Operation-System: ALT Linux Sisyphus (20060401) 2.6.16-wks26-up-alt7 User-Agent: Mutt/1.5.11 X-AV-Checked: ClamAV using ClamSMTP Subject: [d-kernel] [kernel@kolivas: Re: [ck] Re: inheritance of priorities broken?] X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.7 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2006 20:22:38 -0000 Archived-At: List-Archive: List-Post: --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =E4=D5=CD=C1=C0, =C5=D3=D4=D8 =D3=CD=D9=D3=CC =D7=CB=CC=C0=DE=C9=D4=D8 =DC= =D4=CF=D4 =D0=C1=D4=DE =D7 altsecurity. ----- Forwarded message from Con Kolivas ----- Date: Wed, 7 Jun 2006 21:49:52 +1000 =46rom: Con Kolivas To: Thomas Sattler Cc: ck@vds.kolivas Subject: Re: [ck] Re: inheritance of priorities broken? On Wednesday 07 June 2006 21:43, Thomas Sattler wrote: > Hi again ... > > > Hmm maybe there is a need for the ability to set policies higher only > > with capable_sys_nice (ie root only). I'll hack something together > > soon for you to try if you wish. > > I'm interested. schedtool -D -e yes > /dev/null schedtool `/sbin/pidof yes` PID 4255: PRIO 0, POLICY D: SCHED_IDLE , NICE 0, AFFINITY 0x3 schedtool -N 4255 schedtool 4255 PID 4255: PRIO 0, POLICY N: SCHED_NORMAL, NICE 0, AFFINITY 0x3 (as root): echo 1 > /proc/sys/kernel/restrict_policy_changes schedtool -D 4255 schedtool 4255 PID 4255: PRIO 0, POLICY D: SCHED_IDLE , NICE 0, AFFINITY 0x3 schedtool -N 4255 ERROR: could not set PID 4255 to N: SCHED_NORMAL - Operation not permitted Patch for 2.6.17-rc6-ck1 attached. --=20 -ck Add a tunable /proc/sys/kernel/restrict_policy_changes which makes setting policy to SCHED_ISO, BATCH and IDLEPRIO one way for unprivileged users. The tunable is disabled by default. Signed-off-by: Con Kolivas --- include/linux/sysctl.h | 1 + kernel/sched.c | 8 ++++++++ kernel/sysctl.c | 9 +++++++++ 3 files changed, 18 insertions(+) Index: linux-ck-dev/include/linux/sysctl.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- linux-ck-dev.orig/include/linux/sysctl.h 2006-06-06 18:14:32.000000000 = +1000 +++ linux-ck-dev/include/linux/sysctl.h 2006-06-07 21:30:52.000000000 +1000 @@ -151,6 +151,7 @@ enum KERN_INTERACTIVE=3D73, /* interactive tasks can have cpu bursts */ KERN_COMPUTE=3D74, /* adjust timeslices for a compute server */ KERN_ISO_CPU=3D75, /* percent cpu SCHED_ISO tasks run SCHED_RR */ + KERN_RESTRICT_POLICY=3D76, /* Make SCHED_BATCH, IDLEPRIO, ISO one way */ }; =20 =20 Index: linux-ck-dev/kernel/sched.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- linux-ck-dev.orig/kernel/sched.c 2006-06-06 18:10:29.000000000 +1000 +++ linux-ck-dev/kernel/sched.c 2006-06-07 21:34:47.000000000 +1000 @@ -68,6 +68,7 @@ int sched_interactive __read_mostly =3D 1; int sched_compute __read_mostly =3D 0; int sched_iso_cpu __read_mostly =3D 80; +int sched_restrict_policy_changes; =20 #define ISO_PERIOD (5 * HZ) /* @@ -3725,6 +3726,13 @@ recheck: if ((current->euid !=3D p->euid) && (current->euid !=3D p->uid)) return -EPERM; + /* + * Policy changes to SCHED_ISO, IDLEPRIO and BATCH are one + * way if sched_restrict_policy_changes is set. + */ + if (!SCHED_RT(policy) && p->policy !=3D SCHED_NORMAL && + sched_restrict_policy_changes) + return -EPERM; } =20 if (!(p->mm) && policy =3D=3D SCHED_IDLEPRIO) { Index: linux-ck-dev/kernel/sysctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- linux-ck-dev.orig/kernel/sysctl.c 2006-06-06 18:14:32.000000000 +1000 +++ linux-ck-dev/kernel/sysctl.c 2006-06-07 21:30:54.000000000 +1000 @@ -73,6 +73,7 @@ extern int printk_ratelimit_burst; extern int pid_max_min, pid_max_max; extern int sysctl_drop_caches; extern int percpu_pagelist_fraction; +extern int sched_restrict_policy_changes; =20 #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86) int unknown_nmi_panic; @@ -656,6 +657,14 @@ static ctl_table kern_table[] =3D { .extra1 =3D &zero, .extra2 =3D &one_hundred, }, + { + .ctl_name =3D KERN_RESTRICT_POLICY, + .procname =3D "restrict_policy_changes", + .data =3D &sched_restrict_policy_changes, + .maxlen =3D sizeof (int), + .mode =3D 0644, + .proc_handler =3D &proc_dointvec, + }, #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86) { .ctl_name =3D KERN_UNKNOWN_NMI_PANIC, _______________________________________________ http://ck.kolivas.org/faqs/replying-to-mailing-list.txt ck mailing list - mailto: ck@vds.kolivas http://vds.kolivas.org/mailman/listinfo/ck ----- End forwarded message ----- --=20 WBR et al. --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD4DBQFEjx6C3TEpd8GO1nMRAiKwAJoDXFRRDfVYvcQA818cR/r5DNhnuwCXWRFA XV14DHbVmPuf8MvbIdKX4Q== =nM1W -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5--