sched_setscheduler(2): Change realtime privilege check

Check for privilege PRIV_SCHED_SETPOLICY instead of PRIV_SCHED_SET, to at least make it coherent with what is done at thread creation when a realtime policy is requested, and have users authorized by mac_priority(4) pass it. This change is good enough in practice since it only allows 'root' (as before) and mac_priority(4)'s authorized users in (the point of this change), without other side effects. More changes in this area, to generally ensure that all privilege checks are consistent, are going to come as olce's priority revamp project lands. (olce: Expanded the explanations.) PR: 276962 Reported by: jbeich Reviewed by: olce Approved by: emaste (mentor) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D43835
2024-07-22 10:48:02 +00:00 · 2024-02-14 14:50:44 +01:00 · 2024-02-14 14:50:44 +01:00 · 2198221bd9
parent bbd29c4394
commit 2198221bd9
1 changed files with 2 additions and 2 deletions
--- a/sys/kern/p1003_1b.c
+++ b/sys/kern/p1003_1b.c
@ -233,8 +233,8 @@ kern_sched_setscheduler(struct thread *td, struct thread *targettd,
 	targetp = targettd->td_proc;
 	PROC_LOCK_ASSERT(targetp, MA_OWNED);

-	/* Don't allow non root user to set a scheduler policy. */
-	error = priv_check(td, PRIV_SCHED_SET);
+	/* Only privileged users are allowed to set a scheduler policy. */
+	error = priv_check(td, PRIV_SCHED_SETPOLICY);
 	if (error)
 		return (error);