From owner-freebsd-hackers@FreeBSD.ORG  Fri May 25 17:23:48 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 20D901065672;
	Fri, 25 May 2012 17:23:48 +0000 (UTC)
	(envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
	by mx1.freebsd.org (Postfix) with ESMTP id E25568FC1D;
	Fri, 25 May 2012 17:23:47 +0000 (UTC)
Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net
	[67.180.24.15]) (authenticated bits=0)
	by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q4PHNhRS075645
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Fri, 25 May 2012 10:23:45 -0700 (PDT)
	(envelope-from julian@freebsd.org)
Message-ID: <4FBFC029.10401@freebsd.org>
Date: Fri, 25 May 2012 10:23:53 -0700
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US;
	rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20
MIME-Version: 1.0
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com>
	<8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net>
In-Reply-To: <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>,
	FreeBSD-Jail <freebsd-jail@freebsd.org>
Subject: Re: [jail] Allowing root privledged users to renice
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2012 17:23:48 -0000

On 5/25/12 10:04 AM, Bjoern A. Zeeb wrote:
> On 25. May 2012, at 16:48 , Sean Bruno wrote:
>
>> I've been toying with the idea of letting jails renice processes ... how
>> dangerous and/or stupid is this idea?
>>
>> ==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 -
>> /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ====
>> 270a271,275
>> + int   jail_allow_renice = 0;
>> + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW,
>> +&jail_allow_renice, 0,
>> +    "Prison root can renice processes");
>>
>> 3857a3863,3865
>> +      case PRIV_SCHED_SETPRIORITY:
>> +              if (!jail_allow_renice)
>> +                       return (EPERM);
>
> I think sysctls are a bad idea given jails have per-jail flags these days.
>
> Maybe also only allow re-nicing to be nicer but not less nice?
     ^^^^   for sure !  start a jail with it's max priority and the 
root within can allow nicer priorities only..
you can always add priority from teh master (parent) environment outside.

> /bz
>