Thread creation privilege for realtime group
With the mac_priority(4) realtime policy active, users and processes in the realtime group may promote existing threads and processes to realtime scheduling priority. Extend the privileges granted to PRIV_SCHED_SETPOLICY which allows explicit creation of new realtime threads. One use case of this is when the pthread scheduling policy is set to SCHED_RR or SCHED_FIFO via pthread_attr_setschedpolicy(...) before calling pthread_create(...). I ran into this when testing audio software with realtime threads, particularly audio/ardour6. MFC after: 1 week Differential revision: https://reviews.freebsd.org/D33393
This commit is contained in:
parent
8b9fe05a49
commit
e28767f0e1
@ -21,7 +21,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 7, 2021
|
||||
.Dd December 14, 2021
|
||||
.Dt MAC_PRIORITY 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -79,13 +79,16 @@ priority through the
|
||||
.Xr rtprio 2
|
||||
system calls.
|
||||
.Ss Privileges Granted
|
||||
The kernel privileges granted to any process running
|
||||
with the corresponding group gid is:
|
||||
.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent
|
||||
The realtime policy grants the following kernel privileges to any process
|
||||
running with the realtime group id:
|
||||
.Bl -inset -offset indent -compact
|
||||
.It Dv PRIV_SCHED_RTPRIO
|
||||
If it is a member of the realtime group.
|
||||
.It Dv PRIV_SCHED_SETPOLICY
|
||||
.El
|
||||
.Pp
|
||||
The kernel privilege granted by the idletime policy is:
|
||||
.Bl -inset -offset indent -compact
|
||||
.It Dv PRIV_SCHED_IDPRIO
|
||||
If it is a member of the idletime group.
|
||||
.El
|
||||
.Ss Runtime Configuration
|
||||
The following
|
||||
|
@ -64,8 +64,8 @@ SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
|
||||
static int
|
||||
priority_priv_grant(struct ucred *cred, int priv)
|
||||
{
|
||||
if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
|
||||
groupmember(realtime_gid, cred))
|
||||
if ((priv == PRIV_SCHED_RTPRIO || priv == PRIV_SCHED_SETPOLICY) &&
|
||||
realtime_enabled && groupmember(realtime_gid, cred))
|
||||
return (0);
|
||||
|
||||
if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
|
||||
|
Loading…
Reference in New Issue
Block a user