From nobody Wed Feb 14 18:21:06 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZmjG5y83z51jTk; Wed, 14 Feb 2024 18:21:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZmjG5Sl3z4VKR; Wed, 14 Feb 2024 18:21:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707934866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kjGkPImr0uUAmy5CBlB7cx9EuLX0V+fSezfs2FOtzv8=; b=UkmxZAWrhtObqTrXb+oRI/1Eep+Kq5jpBVmwL+MSYai649zMKVcNiYTOv1rNzt4D70aORe E1Zs9zC93DglMFULKrim3sCTT+AUPRwy60J00jKbqE1eSrfs3tZh4BzTBLOr9DEcB3Res5 hrL8iZu8ZN8gJjVx2ddaBGtFQ8r6YzXCzHNeWIfo91XMynRsMLzGv5O1bkue6OqW/CceHv MWEMdAb6cio1e3n6Oq2Rh5hRmL2PeZMpLS6WWM7286j1Xs9k2V0KpvCCaxDddUUcnMd3tT t4rD/z7ZZD2g4/pHlCLS8zt5puwZc67tlKVecJeXG6lBVtCwZHRn1Dxf1rRgVw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707934866; a=rsa-sha256; cv=none; b=KMC/+XtGJmimeZF8frqTTXIlLaV5XdaduNMb3QkDOt+OnQ7b7e4cuuiyWuA1YM+uPgaR+O Bk3eVxtULopk6bP0m/iFVQuA2c1ZwpYm7AA0Nhb39EkWdnPQLvGs3hgJIKOzIqsvKeqEkX IvJ0RX5xpqr36WVJp8QmqiBSrwXaNY8vGBAJaNkXXwGfNOqoT1Z7JpdgCHCuisRRXFqb5e yBCg64YR/PVhD0/Ab/4f2U6ueGsoONNGLYb3s00LfUB3N2LvZwADyys9qgw3cIo7qBWPUY z1ZbWFzliuT7CvnwRXnsGXzqGzGmGW/t6y8+vy9QuB2IRSJCrZTJVpfd91POAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707934866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kjGkPImr0uUAmy5CBlB7cx9EuLX0V+fSezfs2FOtzv8=; b=pxnYauhKZnT38jubE0XY9udpOVcn8mHt3bIusOuYmsyUaxadZ2XxbEb4eiHbHH+CM3d05t 3MA0LprJPRc8rrc50Uk6bwJA5S1L7wxzjGT5pdDQv0YWDPRFW4KekxvK+VbMfVWSmOV2Iw k2n6iOeWlVtOKmDu22o8q9lagebE104TtmL9o7DfU5NuT2gIT0ZiAgC8opYVncCSx+cBMJ cUE8HsO7hnPWJpu6QbO+PHr+1tZ1TsgOgCEduYwqtdSvmlKEiCki944R/+qfUBa+kL5TS9 7qTqhH0nvMLNZUP3lODJ4R/Z9dES4DtvXsHETkQczlRRKYfU1Cw0iAMeDgLz8w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TZmjG4WWQz17mm; Wed, 14 Feb 2024 18:21:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41EIL6WM032667; Wed, 14 Feb 2024 18:21:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41EIL6fR032664; Wed, 14 Feb 2024 18:21:06 GMT (envelope-from git) Date: Wed, 14 Feb 2024 18:21:06 GMT Message-Id: <202402141821.41EIL6fR032664@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 1ee910875cd0 - releng/13.3 - sched_setscheduler(2): Change realtime privilege check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.3 X-Git-Reftype: branch X-Git-Commit: 1ee910875cd00c6f86f3f64dbc1686ec6d52ab11 Auto-Submitted: auto-generated The branch releng/13.3 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=1ee910875cd00c6f86f3f64dbc1686ec6d52ab11 commit 1ee910875cd00c6f86f3f64dbc1686ec6d52ab11 Author: Florian Walpen AuthorDate: 2024-02-14 13:50:44 +0000 Commit: Olivier Certner CommitDate: 2024-02-14 18:19:04 +0000 sched_setscheduler(2): Change realtime privilege check Check for privilege PRIV_SCHED_SETPOLICY instead of PRIV_SCHED_SET, to at least make it coherent with what is done at thread creation when a realtime policy is requested, and have users authorized by mac_priority(4) pass it. This change is good enough in practice since it only allows 'root' (as before) and mac_priority(4)'s authorized users in (the point of this change), without other side effects. More changes in this area, to generally ensure that all privilege checks are consistent, are going to come as olce's priority revamp project lands. (olce: Expanded the explanations.) PR: 276962 Reported by: jbeich Reviewed by: olce Approved by: emaste (mentor) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D43835 (cherry picked from commit 2198221bd9df0ceb69945120bc477309a5729241) (cherry picked from commit 8ff01d01f2e8894bbac9f179f1ab0e83a8160384) Approved by: emaste (mentor) Approved by: re (cperciva) --- sys/kern/p1003_1b.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/kern/p1003_1b.c b/sys/kern/p1003_1b.c index 21c9e3a27039..6259f7092487 100644 --- a/sys/kern/p1003_1b.c +++ b/sys/kern/p1003_1b.c @@ -233,8 +233,8 @@ kern_sched_setscheduler(struct thread *td, struct thread *targettd, targetp = targettd->td_proc; PROC_LOCK_ASSERT(targetp, MA_OWNED); - /* Don't allow non root user to set a scheduler policy. */ - error = priv_check(td, PRIV_SCHED_SET); + /* Only privileged users are allowed to set a scheduler policy. */ + error = priv_check(td, PRIV_SCHED_SETPOLICY); if (error) return (error);