git: a20a2450cd5f - main - Add PRIV_SCHED_IDPRIO
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 10 Dec 2021 02:55:05 UTC
The branch main has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=a20a2450cd5f38fb28d5fa5540177edfb60d2473
commit a20a2450cd5f38fb28d5fa5540177edfb60d2473
Author: Florian Walpen <dev@submerge.ch>
AuthorDate: 2021-12-10 01:43:12 +0000
Commit: Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-10 02:54:48 +0000
Add PRIV_SCHED_IDPRIO
The privilege allows the holder to assign idle priority type to thread
or process.
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D33338
---
sys/kern/kern_resource.c | 28 ++++++++++++++--------------
sys/security/mac_biba/mac_biba.c | 1 +
sys/security/mac_lomac/mac_lomac.c | 1 +
sys/sys/priv.h | 1 +
4 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index 5b90148ccf99..a2005962e411 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -350,13 +350,13 @@ sys_rtprio_thread(struct thread *td, struct rtprio_thread_args *uap)
* easier to lock a resource indefinitely, but it is not the
* only thing that makes it possible.
*/
- if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME ||
- (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE &&
- unprivileged_idprio == 0)) {
- error = priv_check(td, PRIV_SCHED_RTPRIO);
- if (error)
- break;
- }
+ if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME &&
+ (error = priv_check(td, PRIV_SCHED_RTPRIO)) != 0)
+ break;
+ if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE &&
+ unprivileged_idprio == 0 &&
+ (error = priv_check(td, PRIV_SCHED_IDPRIO)) != 0)
+ break;
error = rtp_to_pri(&rtp, td1);
break;
default:
@@ -440,13 +440,13 @@ sys_rtprio(struct thread *td, struct rtprio_args *uap)
* See the comment in sys_rtprio_thread about idprio
* threads holding a lock.
*/
- if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME ||
- (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE &&
- !unprivileged_idprio)) {
- error = priv_check(td, PRIV_SCHED_RTPRIO);
- if (error)
- break;
- }
+ if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME &&
+ (error = priv_check(td, PRIV_SCHED_RTPRIO)) != 0)
+ break;
+ if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE &&
+ unprivileged_idprio == 0 &&
+ (error = priv_check(td, PRIV_SCHED_IDPRIO)) != 0)
+ break;
/*
* If we are setting our own priority, set just our
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 296d4a4e25b8..08df65cc289d 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1975,6 +1975,7 @@ biba_priv_check(struct ucred *cred, int priv)
case PRIV_SCHED_SETPOLICY:
case PRIV_SCHED_SET:
case PRIV_SCHED_SETPARAM:
+ case PRIV_SCHED_IDPRIO:
/*
* More IPC privileges.
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 821b0faf68d0..c017b481c7fa 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1743,6 +1743,7 @@ lomac_priv_check(struct ucred *cred, int priv)
case PRIV_SCHED_SETPOLICY:
case PRIV_SCHED_SET:
case PRIV_SCHED_SETPARAM:
+ case PRIV_SCHED_IDPRIO:
/*
* More IPC privileges.
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 7ef54782a60d..8757db879a5c 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -192,6 +192,7 @@
#define PRIV_SCHED_SETPARAM 205 /* Can set thread scheduler params. */
#define PRIV_SCHED_CPUSET 206 /* Can manipulate cpusets. */
#define PRIV_SCHED_CPUSET_INTR 207 /* Can adjust IRQ to CPU binding. */
+#define PRIV_SCHED_IDPRIO 208 /* Can set idle time scheduling. */
/*
* POSIX semaphore privileges.