The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=a20a2450cd5f38fb28d5fa5540177edfb60d2473
commit a20a2450cd5f38fb28d5fa5540177edfb60d2473 Author: Florian Walpen <[email protected]> AuthorDate: 2021-12-10 01:43:12 +0000 Commit: Konstantin Belousov <[email protected]> CommitDate: 2021-12-10 02:54:48 +0000 Add PRIV_SCHED_IDPRIO The privilege allows the holder to assign idle priority type to thread or process. MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D33338 --- sys/kern/kern_resource.c | 28 ++++++++++++++-------------- sys/security/mac_biba/mac_biba.c | 1 + sys/security/mac_lomac/mac_lomac.c | 1 + sys/sys/priv.h | 1 + 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 5b90148ccf99..a2005962e411 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -350,13 +350,13 @@ sys_rtprio_thread(struct thread *td, struct rtprio_thread_args *uap) * easier to lock a resource indefinitely, but it is not the * only thing that makes it possible. */ - if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME || - (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && - unprivileged_idprio == 0)) { - error = priv_check(td, PRIV_SCHED_RTPRIO); - if (error) - break; - } + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME && + (error = priv_check(td, PRIV_SCHED_RTPRIO)) != 0) + break; + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && + unprivileged_idprio == 0 && + (error = priv_check(td, PRIV_SCHED_IDPRIO)) != 0) + break; error = rtp_to_pri(&rtp, td1); break; default: @@ -440,13 +440,13 @@ sys_rtprio(struct thread *td, struct rtprio_args *uap) * See the comment in sys_rtprio_thread about idprio * threads holding a lock. */ - if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME || - (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && - !unprivileged_idprio)) { - error = priv_check(td, PRIV_SCHED_RTPRIO); - if (error) - break; - } + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME && + (error = priv_check(td, PRIV_SCHED_RTPRIO)) != 0) + break; + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && + unprivileged_idprio == 0 && + (error = priv_check(td, PRIV_SCHED_IDPRIO)) != 0) + break; /* * If we are setting our own priority, set just our diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 296d4a4e25b8..08df65cc289d 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1975,6 +1975,7 @@ biba_priv_check(struct ucred *cred, int priv) case PRIV_SCHED_SETPOLICY: case PRIV_SCHED_SET: case PRIV_SCHED_SETPARAM: + case PRIV_SCHED_IDPRIO: /* * More IPC privileges. diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 821b0faf68d0..c017b481c7fa 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1743,6 +1743,7 @@ lomac_priv_check(struct ucred *cred, int priv) case PRIV_SCHED_SETPOLICY: case PRIV_SCHED_SET: case PRIV_SCHED_SETPARAM: + case PRIV_SCHED_IDPRIO: /* * More IPC privileges. diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 7ef54782a60d..8757db879a5c 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -192,6 +192,7 @@ #define PRIV_SCHED_SETPARAM 205 /* Can set thread scheduler params. */ #define PRIV_SCHED_CPUSET 206 /* Can manipulate cpusets. */ #define PRIV_SCHED_CPUSET_INTR 207 /* Can adjust IRQ to CPU binding. */ +#define PRIV_SCHED_IDPRIO 208 /* Can set idle time scheduling. */ /* * POSIX semaphore privileges.
