From owner-freebsd-hackers@FreeBSD.ORG Mon May 28 15:04:33 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 375EC106564A; Mon, 28 May 2012 15:04:33 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 3942B8FC0A; Mon, 28 May 2012 15:04:32 +0000 (UTC) Received: by wibhj8 with SMTP id hj8so1395315wib.13 for ; Mon, 28 May 2012 08:04:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=TSLY4zptPklApQicL5xBbdilQOiZPf0yIDg5mDkUxsA=; b=N3lWGDUu1Slxu3WHNOvPewQF1pxouqHdamzQrQIFyyNTo+CwNNeIFL8EG91QxfQgA2 4D/4K/zQ6iHgsJIQ2tEx8c+oIE5dfi7qqGqMXwECoATfaKSN5d/ZougFttd/SXjx8vUy fXk/iyeJ//6A01F5/0qcsvdCR8+oeWJlBoeEP0bnvkpAcT7Vv8DaGi8awPKoH8lpVUJU 0DxEmDk15K34Pbi05ANxQeSu1329V+WvoChtz82hdo5FBneE/S2sbeZ/AXqeFgxerJd2 dK/94Eq+cDqe3Irl/i4QOh/uBiAAxBRSQM8p5GXWwXoCGD9ZPVAQ7OgF1t9SLYOpKO2v BaXg== Received: by 10.216.132.94 with SMTP id n72mr2479685wei.60.1338217471113; Mon, 28 May 2012 08:04:31 -0700 (PDT) Received: from dft-labs.eu (dft-labs.eu. [80.87.128.179]) by mx.google.com with ESMTPS id n11sm34158288wiv.9.2012.05.28.08.04.28 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 May 2012 08:04:29 -0700 (PDT) Date: Mon, 28 May 2012 17:04:20 +0200 From: Mateusz Guzik To: Julian Elischer Message-ID: <20120528150420.GA15947@dft-labs.eu> References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net> <4FBFC029.10401@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4FBFC029.10401@freebsd.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: "Bjoern A. Zeeb" , FreeBSD-Jail , FreeBSD Hackers Subject: Re: [jail] Allowing root privledged users to renice X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2012 15:04:33 -0000 On Fri, May 25, 2012 at 10:23:53AM -0700, Julian Elischer wrote: > On 5/25/12 10:04 AM, Bjoern A. Zeeb wrote: > >On 25. May 2012, at 16:48 , Sean Bruno wrote: > > > >>I've been toying with the idea of letting jails renice processes ... how > >>dangerous and/or stupid is this idea? > >> > >>==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - > >>/home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ==== > >>270a271,275 > >>+ int jail_allow_renice = 0; > >>+ SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, > >>+&jail_allow_renice, 0, > >>+ "Prison root can renice processes"); > >> > >>3857a3863,3865 > >>+ case PRIV_SCHED_SETPRIORITY: > >>+ if (!jail_allow_renice) > >>+ return (EPERM); > > > >I think sysctls are a bad idea given jails have per-jail flags these days. > > > >Maybe also only allow re-nicing to be nicer but not less nice? > ^^^^ for sure ! start a jail with it's max priority and the > root within can allow nicer priorities only.. > you can always add priority from teh master (parent) environment outside. > Unless I seriously misunderstood something, that's the case right now. That is, PRIV_SCHED_SETPRIORITY matters only if resulting nice parameter would be lower. -- Mateusz Guzik