Date: Mon, 28 May 2012 11:46:58 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Jamie Gritton <jamie@freebsd.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>, Sean Bruno <seanbru@yahoo-inc.com> Subject: Re: [jail] Allowing root privledged users to renice Message-ID: <20120528084658.GZ2358@deviant.kiev.zoral.com.ua> In-Reply-To: <4FC2B9CA.5090301@FreeBSD.org> References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> <4FC2B9CA.5090301@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--CY2AhQJ0E7w8+M5j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 27, 2012 at 05:33:30PM -0600, Jamie Gritton wrote: > On 05/25/12 10:48, Sean Bruno wrote: > >I've been toying with the idea of letting jails renice processes ... how > >dangerous and/or stupid is this idea? > > > >=3D=3D=3D=3D //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - > >/home/seanbru/ybsd_9/src/sys/kern/kern_jail.c =3D=3D=3D=3D > >270a271,275 > >+ int jail_allow_renice =3D 0; > >+ SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, > >+&jail_allow_renice, 0, > >+ "Prison root can renice processes"); > > > >3857a3863,3865 > >+ case PRIV_SCHED_SETPRIORITY: > >+ if (!jail_allow_renice) > >+ return (EPERM); >=20 > Considering they can only renice their own stuff, and could always just > start a new process anyway, I see very little reason to deny this. But the -niced process affects the whole system. --CY2AhQJ0E7w8+M5j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAk/DO4EACgkQC3+MBN1Mb4hUEACg1uTGJ6ld42xjYfiRhG2tUXy/ zbQAn3Na32FIgtkUOkotwdqZL6UFP/uW =XD8e -----END PGP SIGNATURE----- --CY2AhQJ0E7w8+M5j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120528084658.GZ2358>