diff options
| author | Florian Walpen <dev@submerge.ch> | 2024-02-14 13:50:44 +0000 |
|---|---|---|
| committer | Olivier Certner <olce@FreeBSD.org> | 2024-02-14 18:17:14 +0000 |
| commit | 8ff01d01f2e8894bbac9f179f1ab0e83a8160384 (patch) | |
| tree | 6f737cc8e159a1b70f56847c8e9fec0441ad808e | |
| parent | 6fc69ba38cfc9f8fbcd5096a8911e80608bf9c4f (diff) | |
| download | src-8ff01d01f2e8894bbac9f179f1ab0e83a8160384.tar.gz src-8ff01d01f2e8894bbac9f179f1ab0e83a8160384.zip | |
sched_setscheduler(2): Change realtime privilege check
Check for privilege PRIV_SCHED_SETPOLICY instead of PRIV_SCHED_SET, to
at least make it coherent with what is done at thread creation when
a realtime policy is requested, and have users authorized by
mac_priority(4) pass it.
This change is good enough in practice since it only allows 'root' (as
before) and mac_priority(4)'s authorized users in (the point of this
change), without other side effects. More changes in this area, to
generally ensure that all privilege checks are consistent, are going to
come as olce's priority revamp project lands.
(olce: Expanded the explanations.)
PR: 276962
Reported by: jbeich
Reviewed by: olce
Approved by: emaste (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D43835
(cherry picked from commit 2198221bd9df0ceb69945120bc477309a5729241)
Approved by: emaste (mentor)
Approved by: re (cperciva)
| -rw-r--r-- | sys/kern/p1003_1b.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/p1003_1b.c b/sys/kern/p1003_1b.c index 21c9e3a27039..6259f7092487 100644 --- a/sys/kern/p1003_1b.c +++ b/sys/kern/p1003_1b.c @@ -233,8 +233,8 @@ kern_sched_setscheduler(struct thread *td, struct thread *targettd, targetp = targettd->td_proc; PROC_LOCK_ASSERT(targetp, MA_OWNED); - /* Don't allow non root user to set a scheduler policy. */ - error = priv_check(td, PRIV_SCHED_SET); + /* Only privileged users are allowed to set a scheduler policy. */ + error = priv_check(td, PRIV_SCHED_SETPOLICY); if (error) return (error); |