Date: Wed, 28 Sep 2016 19:37:39 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: Linux compatibility layer - ulimit - pthread_setschedparam failed: Operation not permitted Message-ID: <4c5f70ef-2d91-214e-e3e0-aa2c6aa0ba3a@freebsd.org> In-Reply-To: <20160928233222.GH57400@pf-bsd.local> References: <20160928233222.GH57400@pf-bsd.local>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --sRcutw96e2FPm92935k36cmI5t2lvBjMI Content-Type: multipart/mixed; boundary="VJD2gqc3MRFk1qbMNPPmTdOnpKjb7QTfp"; protected-headers="v1" From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Message-ID: <4c5f70ef-2d91-214e-e3e0-aa2c6aa0ba3a@freebsd.org> Subject: Re: Linux compatibility layer - ulimit - pthread_setschedparam failed: Operation not permitted References: <20160928233222.GH57400@pf-bsd.local> In-Reply-To: <20160928233222.GH57400@pf-bsd.local> --VJD2gqc3MRFk1qbMNPPmTdOnpKjb7QTfp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016-09-28 19:32, Petr Fischer wrote: > Hello, >=20 > I need to run some smalltalk VM (linux binary), that uses thread with h= igher priority for something like "heartbeat", and when I run this binary= (VM) as regular user, this error occurs: >=20 > pthread_setschedparam failed: Operation not permitted >=20 > When I run it with "sudo" (as root user), everything is OK. >=20 > So I thought, OK, if it needs root access, it's a security risk and I w= ill run it in isolated jail (created by ezjail)! But, there is another pr= oblem - in a jail, it does not work even with root permissions (sudo, roo= t user inside jail), this error again: >=20 > pthread_setschedparam failed: Operation not permitted >=20 > Can I do something with this situation, I listed all sysctl vars, but n= othing interesting, there is for example "security.bsd.unprivileged_idpri= o", but that is for idle priority, not realtime priority (not found somet= hing like *.rtprio). >=20 > Any ideas please? Thanks! pf > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 This is expected. A regular user cannot set a negative priority, or renice a process to a 'lower' nice level (higher priority) than it was started with. Even root in jails cannot do this (basically jails are restricted the same as a regular unprivileged user on the host). This prevents a user, or a malicious jail, from setting a process to high priority and starving the rest of the processes. Your best bet might be to run the other processes with a higher nice level, and leave the heartbeat process at the default priority. This can be done as a regular user. --=20 Allan Jude --VJD2gqc3MRFk1qbMNPPmTdOnpKjb7QTfp-- --sRcutw96e2FPm92935k36cmI5t2lvBjMI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJX7FRHAAoJEBmVNT4SmAt+WqoQAKKn7cnN316N053n9c00chbI +vNEIv1w+U/PlTOQNyjREUoi7NWiUYeuaTZtIV0NJEZmaoy+4ZeOwZuD5R6wqtbp c+PlWgjmIFtPWFn//IJYB2a4ZviFerl0fzCH6G5HLYxAbI2BSlBOyIRQWwIe5ZBU VEtnexCIrmg0/gk7ntfChZkUcdvw5IoEOjbNNKV8bF4EpOGO7WbqG4KLUL77pm+s /3oocBYd5bRafk+N7EFlpUOjSm8fVep0Gxs2aFrCGxMJnkoYccs9TAICEyIsUxlb eQ03bwVaC/Rg/bK3VCNaCw5K/Mf6u7ZR1t3uA0umAGEX6cpAomleLWSuVQleqicc Fr8teZ16F+TFUEKfd3a9agPbD+oF+cnvL1SeccPY9Q/+VGI4MXQ2ngXsHolNog4W mVsVFHTj7HrScSsfPUQZgPB2DeJI03vbJnHOlAs82censx7Zicr5gdce7UN+GwFI IYkCKTU9So5XuU7rhU3f+Yr4h86XfazW2SZyN9de7O6tqaeipwE+m47EnLiWvXv6 y8PHB6ZuAs7/bGkqqxbbxZi+ejBC3+qZwvrUaDHbRQkuBPcs1t0C+pdfaXqA8F8I ahEkCGodXKTgcPy9loPZRgOvVCy/iD5KhJ4Acq5bhqovNGaFPo+42ODiLfv4OkWk NepNl4pW9Lwqm6aEmzUl =tg9+ -----END PGP SIGNATURE----- --sRcutw96e2FPm92935k36cmI5t2lvBjMI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4c5f70ef-2d91-214e-e3e0-aa2c6aa0ba3a>