[jail] Allowing root privledged users to renice
Konstantin Belousov
kostikbel at gmail.com
Mon May 28 08:47:15 UTC 2012
On Sun, May 27, 2012 at 05:33:30PM -0600, Jamie Gritton wrote:
> On 05/25/12 10:48, Sean Bruno wrote:
> >I've been toying with the idea of letting jails renice processes ... how
> >dangerous and/or stupid is this idea?
> >
> >==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 -
> >/home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ====
> >270a271,275
> >+ int jail_allow_renice = 0;
> >+ SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW,
> >+&jail_allow_renice, 0,
> >+ "Prison root can renice processes");
> >
> >3857a3863,3865
> >+ case PRIV_SCHED_SETPRIORITY:
> >+ if (!jail_allow_renice)
> >+ return (EPERM);
>
> Considering they can only renice their own stuff, and could always just
> start a new process anyway, I see very little reason to deny this.
But the -niced process affects the whole system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20120528/b55072e3/attachment.pgp
More information about the freebsd-hackers
mailing list