Date: Fri, 25 May 2012 17:04:34 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: sbruno@freebsd.org Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>, FreeBSD-Jail <freebsd-jail@freebsd.org> Subject: Re: [jail] Allowing root privledged users to renice Message-ID: <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net> In-Reply-To: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25. May 2012, at 16:48 , Sean Bruno wrote: > I've been toying with the idea of letting jails renice processes ... how > dangerous and/or stupid is this idea? > > ==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - > /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ==== > 270a271,275 > + int jail_allow_renice = 0; > + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, > + &jail_allow_renice, 0, > + "Prison root can renice processes"); > > 3857a3863,3865 > + case PRIV_SCHED_SETPRIORITY: > + if (!jail_allow_renice) > + return (EPERM); I think sysctls are a bad idea given jails have per-jail flags these days. Maybe also only allow re-nicing to be nicer but not less nice? /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E>