Subject: Re: priority adjustment through kauth(9)?
To: Blair Sadewitz <firstname.lastname@example.org>
From: Elad Efrat <email@example.com>
Date: 02/20/2007 05:17:18
Blair Sadewitz wrote:
> Could/should kauth be extended to allow a process to change its
> priority, given that the only other mechanism we have for this
> requires root? I'd like to set up a system group which is allowed to
> change the priority of its processes [to below 0].
changing priority, with nice(2) I assume, is already handled by
kauth(9), see KAUTH_PROCESS_NICE. the policy implementation itself
is within the respective secmodel code. the one you describe, where
only root can raise priority, belongs in the bsd44 secmodel.
so your question should be, "could the secmodel be extended to ...",
for which the answer is absolutely yes. in fact, that's one of the
design goals. :) you can either:
1. modify the bsd44 secmodel code locally to you,
2. use the overlay secmodel shipped with the default netbsd
distribution. it already overlays bsd44, so you can just change
a tiny fragment of code to handle KAUTH_PROCESS_NICE differently,
3. write a secmodel from scratch :) (probably too much overhead for
this particular demand)
I'd suggest going with either 1 or 2, where the latter has examples in
the secmodel(9) man-page and is my recommendation for such site-specific
extensions. look for 'secmodel_jenna_network_cb'.
these are, however, all kernel-only modifications. if you are interested
in userland interaction in any way, well, it'll take time.