[jail] Allowing root privledged users to renice
Jamie Gritton
jamie at FreeBSD.org
Sun May 27 23:33:40 UTC 2012
On 05/25/12 10:48, Sean Bruno wrote:
> I've been toying with the idea of letting jails renice processes ... how
> dangerous and/or stupid is this idea?
>
> ==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 -
> /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ====
> 270a271,275
> + int jail_allow_renice = 0;
> + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW,
> +&jail_allow_renice, 0,
> + "Prison root can renice processes");
>
> 3857a3863,3865
> + case PRIV_SCHED_SETPRIORITY:
> + if (!jail_allow_renice)
> + return (EPERM);
Considering they can only renice their own stuff, and could always just
start a new process anyway, I see very little reason to deny this.
- Jamie
More information about the freebsd-hackers
mailing list