[Bug 276962] mac_priority(4) doesn't affect sched_setscheduler(2)

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 11 Feb 2024 02:48:46 UTC

--- Comment #1 from Florian Walpen <dev@submerge.ch> ---
Seems like there's a mismatch with different privileges requested.

sys/sys/priv.h defines:

#define  PRIV_SCHED_DIFFCRED     200     /* Exempt scheduling other users. */
#define  PRIV_SCHED_SETPRIORITY  201     /* Can set lower nice value for proc.
#define  PRIV_SCHED_RTPRIO       202     /* Can set real time scheduling. */
#define  PRIV_SCHED_SETPOLICY    203     /* Can set scheduler policy. */
#define  PRIV_SCHED_SET          204     /* Can set thread scheduler. */
#define  PRIV_SCHED_SETPARAM     205     /* Can set thread scheduler params. */
#define  PRIV_SCHED_CPUSET       206     /* Can manipulate cpusets. */
#define  PRIV_SCHED_CPUSET_INTR  207     /* Can adjust IRQ to CPU binding. */
#define  PRIV_SCHED_IDPRIO       208     /* Can set idle time scheduling. */

The call to sched_setscheduler() ends up in sys/kern/p1003_1b.c, checking for
the PRIV_SCHED_SET privilege:

kern_sched_setscheduler(struct thread *td, struct thread *targettd,
      int policy, struct sched_param *param)
          /* Don't allow non root user to set a scheduler policy. */
          error = priv_check(td, PRIV_SCHED_SET);
          if (error)
                  return (error);

While mac_priority only grants privileges for PRIV_SCHED_RTPRIO /

I think sched_setscheduler() does actually set the policy, not the scheduler,
so maybe PRIV_SCHED_SETPOLICY would be more appropriate here. I can have a
closer look tomorrow.

You are receiving this mail because:
You are the assignee for the bug.