[d-kernel] [kernel на kolivas: Re: [ck] Re: inheritance of priorities broken?]

Konstantin A. Lepikhov lakostis на anti-leasure.ru
Ср Июн 14 00:22:26 MSD 2006 

Думаю, есть смысл включить этот патч в altsecurity.

----- Forwarded message from Con Kolivas <kernel на kolivas> -----

Date: Wed, 7 Jun 2006 21:49:52 +1000
From: Con Kolivas <kernel на kolivas>
To: Thomas Sattler <tsattler на gmx>
Cc: ck на vds.kolivas
Subject: Re: [ck] Re: inheritance of priorities broken?

On Wednesday 07 June 2006 21:43, Thomas Sattler wrote:
> Hi again ...
>
> > Hmm maybe there is a need for the ability to set policies higher only
> > with capable_sys_nice (ie root only). I'll hack something together
> > soon for you to try if you wish.
>
> I'm interested.

schedtool -D -e yes > /dev/null

schedtool `/sbin/pidof yes`
PID  4255: PRIO   0, POLICY D: SCHED_IDLE  , NICE   0, AFFINITY 0x3

schedtool -N 4255

schedtool 4255
PID  4255: PRIO   0, POLICY N: SCHED_NORMAL, NICE   0, AFFINITY 0x3

(as root):
echo 1 > /proc/sys/kernel/restrict_policy_changes

schedtool -D 4255

schedtool 4255
PID  4255: PRIO   0, POLICY D: SCHED_IDLE  , NICE   0, AFFINITY 0x3

schedtool -N 4255
ERROR: could not set PID 4255 to N: SCHED_NORMAL - Operation not permitted

Patch for 2.6.17-rc6-ck1 attached.

-- 
-ck

Add a tunable /proc/sys/kernel/restrict_policy_changes which makes setting
policy to SCHED_ISO, BATCH and IDLEPRIO one way for unprivileged users. The
tunable is disabled by default.

Signed-off-by: Con Kolivas <kernel на kolivas>

---
 include/linux/sysctl.h |    1 +
 kernel/sched.c         |    8 ++++++++
 kernel/sysctl.c        |    9 +++++++++
 3 files changed, 18 insertions(+)

Index: linux-ck-dev/include/linux/sysctl.h
===================================================================
--- linux-ck-dev.orig/include/linux/sysctl.h	2006-06-06 18:14:32.000000000 +1000
+++ linux-ck-dev/include/linux/sysctl.h	2006-06-07 21:30:52.000000000 +1000
@@ -151,6 +151,7 @@ enum
 	KERN_INTERACTIVE=73,	/* interactive tasks can have cpu bursts */
 	KERN_COMPUTE=74,	/* adjust timeslices for a compute server */
 	KERN_ISO_CPU=75,	/* percent cpu SCHED_ISO tasks run SCHED_RR */
+	KERN_RESTRICT_POLICY=76, /* Make SCHED_BATCH, IDLEPRIO, ISO one way */
 };
 
 
Index: linux-ck-dev/kernel/sched.c
===================================================================
--- linux-ck-dev.orig/kernel/sched.c	2006-06-06 18:10:29.000000000 +1000
+++ linux-ck-dev/kernel/sched.c	2006-06-07 21:34:47.000000000 +1000
@@ -68,6 +68,7 @@
 int sched_interactive __read_mostly = 1;
 int sched_compute __read_mostly = 0;
 int sched_iso_cpu __read_mostly = 80;
+int sched_restrict_policy_changes;
 
 #define ISO_PERIOD		(5 * HZ)
 /*
@@ -3725,6 +3726,13 @@ recheck:
 		if ((current->euid != p->euid) &&
 		    (current->euid != p->uid))
 			return -EPERM;
+		/*
+		 * Policy changes to SCHED_ISO, IDLEPRIO and BATCH are one
+		 * way if sched_restrict_policy_changes is set.
+		 */
+		if (!SCHED_RT(policy) && p->policy != SCHED_NORMAL &&
+		    sched_restrict_policy_changes)
+			return -EPERM;
 	}
 
 	if (!(p->mm) && policy == SCHED_IDLEPRIO) {
Index: linux-ck-dev/kernel/sysctl.c
===================================================================
--- linux-ck-dev.orig/kernel/sysctl.c	2006-06-06 18:14:32.000000000 +1000
+++ linux-ck-dev/kernel/sysctl.c	2006-06-07 21:30:54.000000000 +1000
@@ -73,6 +73,7 @@ extern int printk_ratelimit_burst;
 extern int pid_max_min, pid_max_max;
 extern int sysctl_drop_caches;
 extern int percpu_pagelist_fraction;
+extern int sched_restrict_policy_changes;
 
 #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86)
 int unknown_nmi_panic;
@@ -656,6 +657,14 @@ static ctl_table kern_table[] = {
 		.extra1		= &zero,
 		.extra2		= &one_hundred,
 	},
+	{
+		.ctl_name	= KERN_RESTRICT_POLICY,
+		.procname	= "restrict_policy_changes",
+		.data		= &sched_restrict_policy_changes,
+		.maxlen		= sizeof (int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
 #if defined(CONFIG_X86_LOCAL_APIC) && defined(CONFIG_X86)
 	{
 		.ctl_name       = KERN_UNKNOWN_NMI_PANIC,

_______________________________________________
http://ck.kolivas.org/faqs/replying-to-mailing-list.txt
ck mailing list - mailto: ck на vds.kolivas
http://vds.kolivas.org/mailman/listinfo/ck

----- End forwarded message -----

-- 
WBR et al.
----------- следущая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : отсутствует
Тип     : application/pgp-signature
Размер  : 191 байтов
Описание: Digital signature
Url     : http://lists.altlinux.org/pipermail/devel-kernel/attachments/20060614/41c1a327/attachment.bin

Подробная информация о списке рассылки devel-kernel